Cyrus IMAP Server: Multiple remote vulnerabilities — GLSA 200411-34

The Cyrus IMAP Server contains multiple vulnerabilities which could lead to remote execution of arbitrary code.

Affected packages

Package 	net-mail/cyrus-imapd on all architectures
Affected versions 	< 2.2.10
Unaffected versions 	>= 2.2.10

Background

The Cyrus IMAP Server is an efficient, highly-scalable IMAP e-mail server.

Description

Multiple vulnerabilities have been discovered in the argument parsers of the 'partial' and 'fetch' commands of the Cyrus IMAP Server (CAN-2004-1012, CAN-2004-1013). There are also buffer overflows in the 'imap magic plus' code that are vulnerable to exploitation as well (CAN-2004-1011, CAN-2004-1015).

Impact

An attacker can exploit these vulnerabilities to execute arbitrary code with the rights of the user running the Cyrus IMAP Server.

Workaround

There is no known workaround at this time.

Resolution

All Cyrus-IMAP Server users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=net-mail/cyrus-imapd-2.2.10"

References

    CAN-2004-1011
    CAN-2004-1012
    CAN-2004-1013
    CAN-2004-1015
    e-matters Advisory
    Cyrus IMAP Server ChangeLog