Moderate: cyrus-imapd (SL4, SL5, SL6)

By Scientific Linux Team on June 8, 2011

Synopsis: Moderate: cyrus-imapd security update
Issue Date: 2011-06-08
CVE Numbers: CVE-2011-1926

The cyrus-imapd packages contain a high-performance mail server with IMAP,
POP3, NNTP, and Sieve support.

It was discovered that cyrus-imapd did not flush the received commands
buffer after switching to TLS encryption for IMAP, LMTP, NNTP, and POP3
sessions. A man-in-the-middle attacker could use this flaw to inject
protocol commands into a victim’s TLS session initialization messages. This
could lead to those commands being processed by cyrus-imapd, potentially
allowing the attacker to steal the victim’s mail or authentication
credentials. (CVE-2011-1926)

Users of cyrus-imapd are advised to upgrade to these updated packages,
which contain a backported patch to correct this issue. After installing
the update, cyrus-imapd will be restarted automatically.

SL4
x86_64
cyrus-imapd-2.2.12-15.el4.x86_64.rpm
cyrus-imapd-devel-2.2.12-15.el4.x86_64.rpm
cyrus-imapd-murder-2.2.12-15.el4.x86_64.rpm
cyrus-imapd-nntp-2.2.12-15.el4.x86_64.rpm
cyrus-imapd-utils-2.2.12-15.el4.x86_64.rpm
perl-Cyrus-2.2.12-15.el4.x86_64.rpm
i386
cyrus-imapd-2.2.12-15.el4.i386.rpm
cyrus-imapd-devel-2.2.12-15.el4.i386.rpm
cyrus-imapd-murder-2.2.12-15.el4.i386.rpm
cyrus-imapd-nntp-2.2.12-15.el4.i386.rpm
cyrus-imapd-utils-2.2.12-15.el4.i386.rpm
perl-Cyrus-2.2.12-15.el4.i386.rpm
SL5
x86_64
cyrus-imapd-2.3.7-7.el5_6.4.x86_64.rpm
cyrus-imapd-devel-2.3.7-7.el5_6.4.i386.rpm
cyrus-imapd-devel-2.3.7-7.el5_6.4.x86_64.rpm
cyrus-imapd-perl-2.3.7-7.el5_6.4.x86_64.rpm
cyrus-imapd-utils-2.3.7-7.el5_6.4.x86_64.rpm
i386
cyrus-imapd-2.3.7-7.el5_6.4.i386.rpm
cyrus-imapd-devel-2.3.7-7.el5_6.4.i386.rpm
cyrus-imapd-perl-2.3.7-7.el5_6.4.i386.rpm
cyrus-imapd-utils-2.3.7-7.el5_6.4.i386.rpm
SL6
x86_64
cyrus-imapd-2.3.16-6.el6_1.2.x86_64.rpm
cyrus-imapd-devel-2.3.16-6.el6_1.2.i686.rpm
cyrus-imapd-devel-2.3.16-6.el6_1.2.x86_64.rpm
cyrus-imapd-utils-2.3.16-6.el6_1.2.x86_64.rpm
i386
cyrus-imapd-2.3.16-6.el6_1.2.i686.rpm
cyrus-imapd-devel-2.3.16-6.el6_1.2.i686.rpm
cyrus-imapd-utils-2.3.16-6.el6_1.2.i686.rpm

– Scientific Linux Development Team