Bug#627081: STARTTLS plaintext command injection
Ondřej Surý
ondrej at sury.org
Wed May 18 07:30:33 UTC 2011
Hi Moritz,
thanks for heads-up.
I am preparing the security updates for cyrus-imapd-2.2 right now.
Please note that for cyrus-imapd-2.4 this vulnerability was fixed in
upstream 2.4.7.
O.
On Tue, May 17, 2011 at 16:59, Moritz Muehlenhoff
<muehlenhoff at univention.de> wrote:
> Package: cyrus-imapd-2.2
> Severity: grave
> Tags: security
>
> Hi,
> I was found out that Cyrus is also vulnerable to the STARTTLS plaintext
> command injection vulnerability originally discovered in Postfix:
>
> http://www.kb.cert.org/vuls/id/555316
> http://www.postfix.org/CVE-2011-0411.html
>
> Cyrus bug:
> http://bugzilla.cyrusimap.org/show_bug.cgi?id=3424
>
> Patch:
> http://git.cyrusimap.org/cyrus-imapd/patch/?id=523a91a5e86c8b9a27a138f04a3e3f2d8786f162
>
> Cheers,
> Moritz
>
>
>
> _______________________________________________
> Pkg-Cyrus-imapd-Debian-devel mailing list
> Pkg-Cyrus-imapd-Debian-devel at lists.alioth.debian.org
> http://lists.alioth.debian.org/mailman/listinfo/pkg-cyrus-imapd-debian-devel
>
--
Ondřej Surý <ondrej at sury.org>
More information about the Pkg-Cyrus-imapd-Debian-devel
mailing list