USN-37-1: cyrus21-imapd vulnerability

2 December 2004

cyrus21-imapd vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 4.10

Software Description

Details

Recently another buffer overflow has been discovered in the SASL authentication module of the Cyrus IMAP server. An off-by-one comparison error in the mysasl_canon_user() function could lead to a missing termination of an user name string.

This vulnerability could allow remote, attacker-supplied machine code to be executed in the context of the affected server process. Since the IMAP server usually runs as unprivileged user ‘cyrus’, there is no possibility of root privilege escalation.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 4.10
cyrus21-imapd

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

References