cyrus-imapd-2.3.16-6.AXS4.4

エラータID: AXSA:2012-23:01

Release date: 
Wednesday, January 18, 2012 - 14:18
Subject: 
cyrus-imapd-2.3.16-6.AXS4.4
Affected Channels: 
Asianux Server 4 for x86_64
Asianux Server 4 for x86
Severity: 
High
Description: 

The cyrus-imapd package contains the core of the Cyrus IMAP server. It is a scaleable enterprise mail system designed for use from small to large enterprise environments using standards-based internet mail technologies.
A full Cyrus IMAP implementation allows a seamless mail and bulletin board environment to be set up across multiple servers. It differs from other IMAP server implementations in that it is run on sealed servers, where users are not normally permitted to log in and have no system account on the server. The mailbox database is stored in parts of the filesystem that are private to the Cyrus IMAP server. All user access to mail is through software using the IMAP, POP3 or KPOP protocols. It also includes support for virtual domains, NNTP, mailbox annotations, and much more. The private mailbox database design gives the server large advantages in efficiency, scalability and administratability. Multiple concurrent read/write connections to the same mailbox are permitted. The server supports access control lists on mailboxes and storage quotas on mailbox hierarchies.
The Cyrus IMAP server supports the IMAP4rev1 protocol described in RFC 3501. IMAP4rev1 has been approved as a proposed standard. It supports any authentication mechanism available from the SASL library, imaps/pop3s/nntps (IMAP/POP3/NNTP encrypted using SSL and TLSv1) can be used for security. The server supports single instance store where possible when an email message is addressed to multiple recipients, SIEVE provides server side email filtering.
Security issues fixed with this release:
CVE-2011-3372
imap/nntpd.c in the NNTP server (nntpd) for Cyrus IMAPd 2.4.x before 2.4.12 allows remote attackers to bypass authentication by sending an AUTHINFO USER command without sending an additional AUTHINFO PASS command.
CVE-2011-3481
The index_get_ids function in index.c in imapd in Cyrus IMAP Server before 2.4.11, when server-side threading is enabled, allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted References header in an e-mail message.

Solution: 

Update packages.

CVEs: 
CVE-2011-3372
imap/nntpd.c in the NNTP server (nntpd) for Cyrus IMAPd 2.4.x before 2.4.12 allows remote attackers to bypass authentication by sending an AUTHINFO USER command without sending an additional AUTHINFO PASS command.
CVE-2011-3481
The index_get_ids function in index.c in imapd in Cyrus IMAP Server before 2.4.11, when server-side threading is enabled, allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted References header in an e-mail message.
Additional Info: 

N/A

Download: 

SRPMS
  1. cyrus-imapd-2.3.16-6.AXS4.4.src.rpm
    MD5: 4b4936558e00b86eb85045129deb0ec3
    SHA-256: cac3a1add9c57269cfd4fc2958244c8aa70eec2558880ec438283a05675ec5a3
    Size: 2.32 MB

Asianux Server 4 for x86
  1. cyrus-imapd-2.3.16-6.AXS4.4.i686.rpm
    MD5: 903b02b89379e41f0ab855eca3eeca47
    SHA-256: 6d4313e26c4a9bc05a58d6c2c0439932ed1974737e04c29c0ef24c0cc4efaf34
    Size: 11.09 MB
  2. cyrus-imapd-utils-2.3.16-6.AXS4.4.i686.rpm
    MD5: d6c3f769c706e4c8bc1d90fc43cd971d
    SHA-256: e1021c350d95623573e02551f88ed1c4980a5bc25ba0d53fb976a7aba1f02140
    Size: 254.41 kB

Asianux Server 4 for x86_64
  1. cyrus-imapd-2.3.16-6.AXS4.4.x86_64.rpm
    MD5: 5c8ddd792072c30aa30a8a9f4bc0b61a
    SHA-256: a01aeaa77e41e5582677fd0e98fcbe0d83fcb16e435ab61ce467109575549bc2
    Size: 11.17 MB
  2. cyrus-imapd-utils-2.3.16-6.AXS4.4.x86_64.rpm
    MD5: bb8774c3738bb4e4ba95e9834dc85576
    SHA-256: 84e491d3ed16e89c00ceae8f98a8c058d995a1c57b718e3e0c76959c1a4a1395
    Size: 253.90 kB