-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2009:229-1 http://www.mandriva.com/security/ _______________________________________________________________________ Package : cyrus-imapd Date : December 5, 2009 Affected: 2008.0 _______________________________________________________________________ Problem Description: A vulnerability has been found and corrected in cyrus-imapd: Buffer overflow in the SIEVE script component (sieve/script.c) in cyrus-imapd in Cyrus IMAP Server 2.2.13 and 2.3.14 allows local users to execute arbitrary code and read or modify arbitrary messages via a crafted SIEVE script, related to the incorrect use of the sizeof operator for determining buffer length, combined with an integer signedness error (CVE-2009-2632). This update provides a solution to this vulnerability. Update: Packages for 2008.0 are being provided due to extended support for Corporate products. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2632 _______________________________________________________________________ Updated Packages: Mandriva Linux 2008.0: 3624587d9792be346e43e89fdefca08f 2008.0/i586/cyrus-imapd-2.3.8-4.1mdv2008.0.i586.rpm 964fdf726329871c4cce92f11da00692 2008.0/i586/cyrus-imapd-devel-2.3.8-4.1mdv2008.0.i586.rpm 5fd6c344a226014105f01cec643fc24f 2008.0/i586/cyrus-imapd-murder-2.3.8-4.1mdv2008.0.i586.rpm 07ed14c27d7cbf32ca9fe1a16a244907 2008.0/i586/cyrus-imapd-nntp-2.3.8-4.1mdv2008.0.i586.rpm 8a0b889b937ea0e4bb20eeee82979c17 2008.0/i586/cyrus-imapd-utils-2.3.8-4.1mdv2008.0.i586.rpm 86f444535a86d7fb3f608e2c7612df75 2008.0/i586/perl-Cyrus-2.3.8-4.1mdv2008.0.i586.rpm 5b9213e9db4ccc29efe4c5c389436aaf 2008.0/SRPMS/cyrus-imapd-2.3.8-4.1mdv2008.0.src.rpm Mandriva Linux 2008.0/X86_64: d6efe505d3695fc96ca96c6a1e43b01a 2008.0/x86_64/cyrus-imapd-2.3.8-4.1mdv2008.0.x86_64.rpm 08759474f31a25d5b48179cabccc873e 2008.0/x86_64/cyrus-imapd-devel-2.3.8-4.1mdv2008.0.x86_64.rpm 029231ca655d20e016146f1b5988f4c8 2008.0/x86_64/cyrus-imapd-murder-2.3.8-4.1mdv2008.0.x86_64.rpm 1573bb824fa3d2747b7bf5ed64034ba8 2008.0/x86_64/cyrus-imapd-nntp-2.3.8-4.1mdv2008.0.x86_64.rpm ff36f2669c5007afc4b232ac9ed59d83 2008.0/x86_64/cyrus-imapd-utils-2.3.8-4.1mdv2008.0.x86_64.rpm ff65dff0ef99b87e81b52a9e4946658f 2008.0/x86_64/perl-Cyrus-2.3.8-4.1mdv2008.0.x86_64.rpm 5b9213e9db4ccc29efe4c5c389436aaf 2008.0/SRPMS/cyrus-imapd-2.3.8-4.1mdv2008.0.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFLGlX9mqjQ0CJFipgRAiZAAJ90vfOd0KH1OlBegEA29vg98+Ga5ACffAgl VP8ROOVBxJt907M/TP1pD2I= =VOgd -----END PGP SIGNATURE-----