Bug#804182: cyrus-imapd-2.4: CVE-2015-8077 CVE-2015-8078
Salvatore Bonaccorso
carnil at debian.org
Thu Nov 5 20:10:43 UTC 2015
Source: cyrus-imapd-2.4
Version: 2.4.17+nocaldav-2
Severity: important
Tags: security upstream patch fixed-upstream
Hi,
the following vulnerabilities were published for cyrus-imapd-2.4.
CVE-2015-8077[0]:
| integer overflow in the start_octet addition after the
| 07de4ff1bf2fa340b9d77b8e7de8d43d47a33921 fix
CVE-2015-8078[1]:
| integer overflow in the section_offset addition after the
| c21e179c1f6b968fe69bebe079176714e511587b fix
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
Both basically are due to incomplete fix of CVE-2015-8076, so
technically wheezy and jessie are not affected by CVE-2015-8077 and
CVE-2015-8078 but the fix for CVE-2015-8076 would need to be completed
including these patches.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2015-8077
https://cyrus.foundation/cyrus-imapd/commit/?id=745e161c834f1eb6d62fc14477f51dae799e1e08
[1] https://security-tracker.debian.org/tracker/CVE-2015-8078
https://cyrus.foundation/cyrus-imapd/commit/?id=6fb6a272171f49c79ba6ab7c6403eb25b39ec1b2
Regards,
Salvatore
More information about the Pkg-Cyrus-imapd-Debian-devel
mailing list