Bug#804182: cyrus-imapd-2.4: CVE-2015-8077 CVE-2015-8078
Ondřej Surý
ondrej at sury.org
Tue Nov 17 07:32:44 UTC 2015
Hi Salvatore,
just letting you know I will take care of the security update this week.
I just need to sort out the rest of the bugreports whether they are
related to the +nocaldav bump or not.
Cheers,
Ondrej
On Thu, Nov 5, 2015, at 21:10, Salvatore Bonaccorso wrote:
> Source: cyrus-imapd-2.4
> Version: 2.4.17+nocaldav-2
> Severity: important
> Tags: security upstream patch fixed-upstream
>
> Hi,
>
> the following vulnerabilities were published for cyrus-imapd-2.4.
>
> CVE-2015-8077[0]:
> | integer overflow in the start_octet addition after the
> | 07de4ff1bf2fa340b9d77b8e7de8d43d47a33921 fix
>
> CVE-2015-8078[1]:
> | integer overflow in the section_offset addition after the
> | c21e179c1f6b968fe69bebe079176714e511587b fix
>
> If you fix the vulnerabilities please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
>
> Both basically are due to incomplete fix of CVE-2015-8076, so
> technically wheezy and jessie are not affected by CVE-2015-8077 and
> CVE-2015-8078 but the fix for CVE-2015-8076 would need to be completed
> including these patches.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2015-8077
> https://cyrus.foundation/cyrus-imapd/commit/?id=745e161c834f1eb6d62fc14477f51dae799e1e08
> [1] https://security-tracker.debian.org/tracker/CVE-2015-8078
> https://cyrus.foundation/cyrus-imapd/commit/?id=6fb6a272171f49c79ba6ab7c6403eb25b39ec1b2
>
> Regards,
> Salvatore
>
> _______________________________________________
> Pkg-Cyrus-imapd-Debian-devel mailing list
> Pkg-Cyrus-imapd-Debian-devel at lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-cyrus-imapd-debian-devel
--
Ondřej Surý <ondrej at sury.org>
Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server
More information about the Pkg-Cyrus-imapd-Debian-devel
mailing list