 |
Home ▼ Bookkeeping
Online ▼ Security
Audits ▼
Managed
DNS ▼
About
Order
FAQ
Acceptable Use Policy
Dynamic DNS Clients
Configure Domains Dyanmic DNS Update Password Network
Monitor ▼
Enterprise Package
Advanced Package
Standard Package
Free Trial
FAQ
Price/Feature Summary
Order/Renew
Examples
Configure/Status Alert Profiles | ||
| Test ID: | 1.3.6.1.4.1.25623.1.0.64864 |
| Category: | Debian Local Security Checks |
| Title: | Debian: Security Advisory (DSA-1881-1) |
| Summary: | The remote host is missing an update for the Debian 'cyrus-imapd-2.2' package(s) announced via the DSA-1881-1 advisory. |
| Description: | Summary: The remote host is missing an update for the Debian 'cyrus-imapd-2.2' package(s) announced via the DSA-1881-1 advisory. Vulnerability Insight: It was discovered that the SIEVE component of cyrus-imapd, a highly scalable enterprise mail system, is vulnerable to a buffer overflow when processing SIEVE scripts. Due to incorrect use of the sizeof() operator an attacker is able to pass a negative length to snprintf() calls resulting in large positive values due to integer conversion. This causes a buffer overflow which can be used to elevate privileges to the cyrus system user. An attacker who is able to install SIEVE scripts executed by the server is therefore able to read and modify arbitrary email messages on the system. For the oldstable distribution (etch), this problem has been fixed in version 2.2.13-10+etch2. For the stable distribution (lenny), this problem has been fixed in version 2.2.13-14+lenny1. For the testing (squeeze) and unstable (sid) distribution, this problem will be fixed soon. We recommend that you upgrade your cyrus-imapd-2.2 packages. Affected Software/OS: 'cyrus-imapd-2.2' package(s) on Debian 4, Debian 5. Solution: Please install the updated package(s). CVSS Score: 4.4 CVSS Vector: AV:L/AC:M/Au:N/C:P/I:P/A:P |
| Cross-Ref: |
Common Vulnerability Exposure (CVE) ID: CVE-2009-2632 http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html BugTraq ID: 36296 http://www.securityfocus.com/bid/36296 BugTraq ID: 36377 http://www.securityfocus.com/bid/36377 Debian Security Information: DSA-1881 (Google Search) http://www.debian.org/security/2009/dsa-1881 https://www.redhat.com/archives/fedora-package-announce/2009-September/msg00491.html https://lists.andrew.cmu.edu/pipermail/cyrus-cvs/2009-September/001253.html https://lists.andrew.cmu.edu/pipermail/cyrus-cvs/2009-September/001254.html http://dovecot.org/list/dovecot-news/2009-September/000135.html http://www.openwall.com/lists/oss-security/2009/09/14/3 http://www.osvdb.org/58103 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10082 http://secunia.com/advisories/36629 http://secunia.com/advisories/36632 http://secunia.com/advisories/36698 http://secunia.com/advisories/36713 http://secunia.com/advisories/36904 SuSE Security Announcement: SUSE-SR:2009:016 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00001.html http://www.ubuntu.com/usn/USN-838-1 http://www.vupen.com/english/advisories/2009/2559 http://www.vupen.com/english/advisories/2009/2641 |
| Copyright | Copyright (C) 2009 Greenbone AG |
| This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit. To run a free test of this vulnerability against your system, register below. |