A cyrus-imapd security update is available for Fedora Core 3
---------------------------------------------------------------------
Fedora Update Notification
FEDORA-2005-339
2005-04-27
---------------------------------------------------------------------
Product : Fedora Core 3
Name : cyrus-imapd
Version : 2.2.12
Release : 1.1.fc3
Summary : A high-performance mail server with IMAP, POP3, NNTP and SIEVE support.
Description :
The cyrus-imapd package contains the core of the Cyrus IMAP server. It is a scaleable enterprise mail system designed for use from small to large enterprise environments using standards-based internet mail technologies.
A full Cyrus IMAP implementation allows a seamless mail and bulletin board environment to be set up across multiple servers. It differs from other IMAP server implementations in that it is run on "sealed" servers, where users are not normally permitted to log in. The mailbox database is stored in parts of the filesystem that are private to the Cyrus IMAP server. All user access to mail is through software using the IMAP, POP3, or KPOP protocols. TLSv1 and SSL are supported for security.
---------------------------------------------------------------------
Update Information:
Several buffer overflow bugs were found in cyrus-imapd. It is possible that an authenticated malicious user could cause the imap server to crash. Additionally, a peer news admin could potentially execute arbitrary code on the imap server when news is received using the fetchnews command. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0546 to this issue.
In addition this version of the rpm contains a collection of other fixes since the last FC3 update (see below changelog).
>>>>>>>>>>IMPORTANT NOTE FOR X86_64 INSTALLATION <<<<<<<<<<<<
This rpm also fixes bug #156121 that incorrectly placed some
executables /usr/lib64/cyrus-imapd. /usr/lib64 is reserved for 64 bit libraries and this caused problems for existing scripts that expected to find them in a canonical location (/usr/lib/cyrus-imapd) and violated the multilib packaging guidelines. Only references external to the cyrus-imapd package are affected by this, the rpm is self consistent. The most notable example is /usr/lib64/cyrus-impad/deliver which is now /usr/lib/cyrus-imapd/deliver (use of lmtp is encouraged in preference to deliver). This change only affects x86_64 installations.
---------------------------------------------------------------------
* Mon Apr 4 2005 John Dennis <jdennis@redhat.com> - 2.2.12-1.1.fc3
- bring up to 2.2.12, fixes security CAN-2005-0546
* Mon Feb 14 2005 Simon Matter <simon.matter@invoca.ch>
- updated to 2.2.12
- updated autocreate and autosievefolder patches
* Sat Feb 5 2005 Simon Matter <simon.matter@invoca.ch>
- updated autosievefolder patch
* Tue Feb 1 2005 Simon Matter <simon.matter@invoca.ch>
- remove special ownership and permissions from deliver
- enable deliver-wrapper per default
- enable OutlookExpress seenstate patch per default
* Wed Jan 19 2005 Simon Matter <simon.matter@invoca.ch>
- updated autocreate patch
* Fri Jan 14 2005 Simon Matter <simon.matter@invoca.ch>
- spec file cleanup
* Tue Jan 11 2005 Simon Matter <simon.matter@invoca.ch>
- updated autocreate patch
* Fri Jan 7 2005 Simon Matter <simon.matter@invoca.ch>
- moved contrib dir into doc, made scripts not executable
* Thu Jan 6 2005 Simon Matter <simon.matter@invoca.ch>
- added more fixes to the autocreate patch
- don't use /usr/lib for /usr/lib/cyrus-imapd, it's a mess on x86_64
- don't use /usr/lib for symlinks
- remove /usr/lib pachtes
- change pam configs to work on x86_64
- changed default build option for IDLED to on
- changed rpm_set_permissions to honor partitions in /etc/imapd.conf
* Tue Jan 4 2005 Simon Matter <simon.matter@invoca.ch>
- updated autocreate patch
* Mon Dec 20 2004 Simon Matter <simon.matter@invoca.ch>
- remove idled docs when disabled, fixes RedHat's bug #142345
* Fri Dec 17 2004 Simon Matter <simon.matter@invoca.ch>
- removed allnumeric patch, not needed anymore
- made groupcache a compile time option
- rename nntp's pam service, fixes RedHat's bug #142672
* Thu Dec 16 2004 Simon Matter <simon.matter@invoca.ch>
- updated groupcache patch
- updated cvt_cyrusdb_all to use runuser instead of su if available
- added upd_groupcache tool
* Wed Dec 15 2004 Simon Matter <simon.matter@invoca.ch>
- added groupfile patch to help those using nss_ldap
---------------------------------------------------------------------
This update can be downloaded from:
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/
36cea34d82e4e8f127b0acd6aef20522 SRPMS/cyrus-imapd-2.2.12-1.1.fc3.src.rpm
7d86ca50692b8fb8174a9ba77577516b x86_64/cyrus-imapd-2.2.12-1.1.fc3.x86_64.rpm
3fac6beb580449fa88cf30ebd2cc00b1 x86_64/cyrus-imapd-murder-2.2.12-1.1.fc3.x86_64.rpm
d6ae4bc28394cff12991ef41026560e4 x86_64/cyrus-imapd-nntp-2.2.12-1.1.fc3.x86_64.rpm
52f96c3c5dd2751fa345c98f26ae85ce x86_64/cyrus-imapd-devel-2.2.12-1.1.fc3.x86_64.rpm
17b55f1ed6883ac2c2e984b68d3110b6 x86_64/perl-Cyrus-2.2.12-1.1.fc3.x86_64.rpm
2ed2914ab0ec3291496374364c84833a x86_64/cyrus-imapd-utils-2.2.12-1.1.fc3.x86_64.rpm
71c9bd8df0da6beb33c7593285575b34 i386/cyrus-imapd-2.2.12-1.1.fc3.i386.rpm
99c59a28fd8ddf609788df73c67fd331 i386/cyrus-imapd-murder-2.2.12-1.1.fc3.i386.rpm
90bd0b98c63d2c9ec44b3c66933c613a i386/cyrus-imapd-nntp-2.2.12-1.1.fc3.i386.rpm
5e4a129f7e77f7840ac92d6fe481f18f i386/cyrus-imapd-devel-2.2.12-1.1.fc3.i386.rpm
5c097ebe78767a241b4617e8e945b95b i386/perl-Cyrus-2.2.12-1.1.fc3.i386.rpm
8eebd0cb12bf4ab005830782205afc1a i386/cyrus-imapd-utils-2.2.12-1.1.fc3.i386.rpm
This update can also be installed with the Update Agent; you can launch the Update Agent with the 'up2date' command.
---------------------------------------------------------------------
Fedora Update Notification
FEDORA-2005-339
2005-04-27
---------------------------------------------------------------------
Product : Fedora Core 3
Name : cyrus-imapd
Version : 2.2.12
Release : 1.1.fc3
Summary : A high-performance mail server with IMAP, POP3, NNTP and SIEVE support.
Description :
The cyrus-imapd package contains the core of the Cyrus IMAP server. It is a scaleable enterprise mail system designed for use from small to large enterprise environments using standards-based internet mail technologies.
A full Cyrus IMAP implementation allows a seamless mail and bulletin board environment to be set up across multiple servers. It differs from other IMAP server implementations in that it is run on "sealed" servers, where users are not normally permitted to log in. The mailbox database is stored in parts of the filesystem that are private to the Cyrus IMAP server. All user access to mail is through software using the IMAP, POP3, or KPOP protocols. TLSv1 and SSL are supported for security.
---------------------------------------------------------------------
Update Information:
Several buffer overflow bugs were found in cyrus-imapd. It is possible that an authenticated malicious user could cause the imap server to crash. Additionally, a peer news admin could potentially execute arbitrary code on the imap server when news is received using the fetchnews command. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0546 to this issue.
In addition this version of the rpm contains a collection of other fixes since the last FC3 update (see below changelog).
>>>>>>>>>>IMPORTANT NOTE FOR X86_64 INSTALLATION <<<<<<<<<<<<
This rpm also fixes bug #156121 that incorrectly placed some
executables /usr/lib64/cyrus-imapd. /usr/lib64 is reserved for 64 bit libraries and this caused problems for existing scripts that expected to find them in a canonical location (/usr/lib/cyrus-imapd) and violated the multilib packaging guidelines. Only references external to the cyrus-imapd package are affected by this, the rpm is self consistent. The most notable example is /usr/lib64/cyrus-impad/deliver which is now /usr/lib/cyrus-imapd/deliver (use of lmtp is encouraged in preference to deliver). This change only affects x86_64 installations.
---------------------------------------------------------------------
* Mon Apr 4 2005 John Dennis <jdennis@redhat.com> - 2.2.12-1.1.fc3
- bring up to 2.2.12, fixes security CAN-2005-0546
* Mon Feb 14 2005 Simon Matter <simon.matter@invoca.ch>
- updated to 2.2.12
- updated autocreate and autosievefolder patches
* Sat Feb 5 2005 Simon Matter <simon.matter@invoca.ch>
- updated autosievefolder patch
* Tue Feb 1 2005 Simon Matter <simon.matter@invoca.ch>
- remove special ownership and permissions from deliver
- enable deliver-wrapper per default
- enable OutlookExpress seenstate patch per default
* Wed Jan 19 2005 Simon Matter <simon.matter@invoca.ch>
- updated autocreate patch
* Fri Jan 14 2005 Simon Matter <simon.matter@invoca.ch>
- spec file cleanup
* Tue Jan 11 2005 Simon Matter <simon.matter@invoca.ch>
- updated autocreate patch
* Fri Jan 7 2005 Simon Matter <simon.matter@invoca.ch>
- moved contrib dir into doc, made scripts not executable
* Thu Jan 6 2005 Simon Matter <simon.matter@invoca.ch>
- added more fixes to the autocreate patch
- don't use /usr/lib for /usr/lib/cyrus-imapd, it's a mess on x86_64
- don't use /usr/lib for symlinks
- remove /usr/lib pachtes
- change pam configs to work on x86_64
- changed default build option for IDLED to on
- changed rpm_set_permissions to honor partitions in /etc/imapd.conf
* Tue Jan 4 2005 Simon Matter <simon.matter@invoca.ch>
- updated autocreate patch
* Mon Dec 20 2004 Simon Matter <simon.matter@invoca.ch>
- remove idled docs when disabled, fixes RedHat's bug #142345
* Fri Dec 17 2004 Simon Matter <simon.matter@invoca.ch>
- removed allnumeric patch, not needed anymore
- made groupcache a compile time option
- rename nntp's pam service, fixes RedHat's bug #142672
* Thu Dec 16 2004 Simon Matter <simon.matter@invoca.ch>
- updated groupcache patch
- updated cvt_cyrusdb_all to use runuser instead of su if available
- added upd_groupcache tool
* Wed Dec 15 2004 Simon Matter <simon.matter@invoca.ch>
- added groupfile patch to help those using nss_ldap
---------------------------------------------------------------------
This update can be downloaded from:
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/
36cea34d82e4e8f127b0acd6aef20522 SRPMS/cyrus-imapd-2.2.12-1.1.fc3.src.rpm
7d86ca50692b8fb8174a9ba77577516b x86_64/cyrus-imapd-2.2.12-1.1.fc3.x86_64.rpm
3fac6beb580449fa88cf30ebd2cc00b1 x86_64/cyrus-imapd-murder-2.2.12-1.1.fc3.x86_64.rpm
d6ae4bc28394cff12991ef41026560e4 x86_64/cyrus-imapd-nntp-2.2.12-1.1.fc3.x86_64.rpm
52f96c3c5dd2751fa345c98f26ae85ce x86_64/cyrus-imapd-devel-2.2.12-1.1.fc3.x86_64.rpm
17b55f1ed6883ac2c2e984b68d3110b6 x86_64/perl-Cyrus-2.2.12-1.1.fc3.x86_64.rpm
2ed2914ab0ec3291496374364c84833a x86_64/cyrus-imapd-utils-2.2.12-1.1.fc3.x86_64.rpm
71c9bd8df0da6beb33c7593285575b34 i386/cyrus-imapd-2.2.12-1.1.fc3.i386.rpm
99c59a28fd8ddf609788df73c67fd331 i386/cyrus-imapd-murder-2.2.12-1.1.fc3.i386.rpm
90bd0b98c63d2c9ec44b3c66933c613a i386/cyrus-imapd-nntp-2.2.12-1.1.fc3.i386.rpm
5e4a129f7e77f7840ac92d6fe481f18f i386/cyrus-imapd-devel-2.2.12-1.1.fc3.i386.rpm
5c097ebe78767a241b4617e8e945b95b i386/perl-Cyrus-2.2.12-1.1.fc3.i386.rpm
8eebd0cb12bf4ab005830782205afc1a i386/cyrus-imapd-utils-2.2.12-1.1.fc3.i386.rpm
This update can also be installed with the Update Agent; you can launch the Update Agent with the 'up2date' command.
