Bug#547947: CVE-2009-3235: CMU sieve buffer overflows
Benjamin Seidenberg
benjamin at debian.org
Tue Sep 22 18:30:47 UTC 2009
fixed 547947 2.2.13-15
thanks
A fix was released before the CVE was even published
Giuseppe Iuculano wrote:
> Package: cyrus-imapd-2.2
> Severity: grave
> Tags: security patch
>
> Hi,
> the following CVE (Common Vulnerabilities & Exposures) id was
> published for cyrus-imapd-2.2.
>
> CVE-2009-3235[0]:
> | Multiple stack-based buffer overflows in the Sieve plugin in Dovecot
> | 1.0 before 1.0.4 and 1.1 before 1.1.7, as derived from Cyrus libsieve,
> | allow context-dependent attackers to cause a denial of service (crash)
> | and possibly execute arbitrary code via a crafted SIEVE script, as
> | demonstrated by forwarding an e-mail message to a large number of
> | recipients, a different vulnerability than CVE-2009-2632.
>
> If you fix the vulnerability please also make sure to include the
> CVE id in your changelog entry.
>
> For further information see:
>
> [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3235
> http://security-tracker.debian.net/tracker/CVE-2009-3235
> Patch:
> https://bugzilla.andrew.cmu.edu/cgi-bin/cvsweb.cgi/src/sieve/sieve.y.diff?r1=1.40;r2=1.41;f=h
>
> https://bugzilla.andrew.cmu.edu/cgi-bin/cvsweb.cgi/src/sieve/bc_eval.c.diff?r1=1.14;r2=1.15;f=h
>
> https://bugzilla.andrew.cmu.edu/cgi-bin/cvsweb.cgi/src/sieve/script.c.diff?r1=1.68;r2=1.69;f=h
>
>
_______________________________________________
Pkg-Cyrus-imapd-Debian-devel mailing list
Pkg-Cyrus-imapd-Debian-devel at lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/pkg-cyrus-imapd-debian-devel
More information about the Pkg-Cyrus-imapd-Debian-devel
mailing list