cyrus-imapd-3.0.7-19.el8

エラータID: AXSA:2021-1276:01

Release date: 
Wednesday, January 20, 2021 - 12:27
Subject: 
cyrus-imapd-3.0.7-19.el8
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
Moderate
Description: 

The cyrus-imapd packages contain a high-performance mail server with IMAP, POP3, NNTP, and SIEVE support.

Security Fix(es):

* cyrus-imapd: privilege escalation in HTTP request (CVE-2019-18928)

* cyrus-imapd: lmtpd component created mailboxes with administrator privileges if the "fileinto" was used, bypassing ACL checks (CVE-2019-19783)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

CVE-2019-18928
Cyrus IMAP 2.5.x before 2.5.14 and 3.x before 3.0.12 allows privilege escalation because an HTTP request may be interpreted in the authentication context of an unrelated previous request that arrived over the same connection.
CVE-2019-19783
An issue was discovered in Cyrus IMAP before 2.5.15, 3.0.x before 3.0.13, and 3.1.x through 3.1.8. If sieve script uploading is allowed (3.x) or certain non-default sieve options are enabled (2.x), a user with a mail account on the service can use a sieve script containing a fileinto directive to create any mailbox with administrator privileges, because of folder mishandling in autosieve_createfolder() in imap/lmtp_sieve.c.

Solution: 

Update packages.

CVEs: 
CVE-2019-18928
Cyrus IMAP 2.5.x before 2.5.14 and 3.x before 3.0.12 allows privilege escalation because an HTTP request may be interpreted in the authentication context of an unrelated previous request that arrived over the same connection.
CVE-2019-19783
An issue was discovered in Cyrus IMAP before 2.5.15, 3.0.x before 3.0.13, and 3.1.x through 3.1.8. If sieve script uploading is allowed (3.x) or certain non-default sieve options are enabled (2.x), a user with a mail account on the service can use a sieve script containing a fileinto directive to create any mailbox with administrator privileges, because of folder mishandling in autosieve_createfolder() in imap/lmtp_sieve.c.
Additional Info: 

N/A

Download: 

SRPMS
  1. cyrus-imapd-3.0.7-19.el8.src.rpm
    MD5: 1bef2f04187ef52b8cafffe493a17f92
    SHA-256: b0c9b3a4be35578d6a764d19205e6de9907313b9a15e5e1861ffeb4ec031239e
    Size: 10.27 MB

Asianux Server 8 for x86_64
  1. cyrus-imapd-3.0.7-19.el8.x86_64.rpm
    MD5: c537d86f5fc0e48b55be101f58910617
    SHA-256: 3a12be976b2b129b397993bc0f006cd965c79d39fd7097e02082862da73351f7
    Size: 1.66 MB
  2. cyrus-imapd-utils-3.0.7-19.el8.x86_64.rpm
    MD5: 849ff52616111a86c36c1bceb8a1fa73
    SHA-256: 83e003db15c24f527128ea6aac096a1deb0f98dcd52465be82c5434e1f60d6aa
    Size: 644.00 kB
  3. cyrus-imapd-vzic-3.0.7-19.el8.x86_64.rpm
    MD5: 7054da6060e5f7e01aab27dfc5c2763e
    SHA-256: 5171d4f0351ca624dfa20286a6d6c9f21f954296252f1fa58656a982af869d9d
    Size: 43.29 kB
  4. cyrus-imapd-3.0.7-19.el8.i686.rpm
    MD5: 8f041bf24e584a21bf9f1eb0166be6e9
    SHA-256: 5d2ee8c601b261eed2d8925a4e9d42ec863f041c5a9f7a5113842f2b1f539b9d
    Size: 1.75 MB