Yellow Dog Linux Security Advisory: YDU-20020606-1
Dan Burcaw
yellowdog-updates@lists.terrasoftsolutions.com
Thu, 6 Jun 2002 20:00:18 -0600 (MDT)
Yellow Dog Linux Security Announcement
--------------------------------------
Package: imap
Issue Date: June 06, 2002
Priority: high
Advisory ID: YDU-20020606-1
1. Topic:
Updated imap packages are available.
2. Problem:
"UW imapd is an IMAP daemon from the University of Washington. Version
2000c and previous versions have a bug that allows a malicious user to
construct a malformed request which overflows an internal buffer, enabling
that user to execute commands on the server with the user's UID/GID.
To exploit this problem the user has to have successfully authenticated to
the imapd service. Therefore, this vulnerability mainly affects free email
providers or mail servers where the user has no shell access to the system.
On other systems, in which the user already has shell access, users can
already run commands under their own UIDs/GIDs.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2002-0379 to this issue.
Users of imapd are advised to upgrade to these errata packages containing
version 2001a of imapd. They are not vulnerable to this issue."
(from Red Hat Advisory)
3. Solution:
a) Updating via apt...
We suggest that you use the apt-get program to keep your
system up-to-date. The following command(s) will retrieve
and install the fixed version of this update onto your system:
apt-get update
apt-get install imap
b) Updating manually...
The update can also be retrieved manually from our ftp site
below along with the rpm command that should be used to install
the update. (Please use a mirror site)
ftp://ftp.yellowdoglinux.com/pub/yellowdog/updates/yellowdog-2.2/ppc/
rpm -Fvh imap-2001a-1.72.0.ppc.rpm
4. Verification
MD5 checksum Package
-------------------------------- ----------------------------
2681d1e68502578b4e7f0b6c3f4f5ade ppc/imap-2001a-1.72.0.ppc.rpm
1e0cff5e1c3e804e3c7ca1b560169672 ppc/imap-devel-2001a-1.72.0.ppc.rpm
bf402f779d9a16e701b2f049e83ca341 SRPMS/imap-2001a-1.72.0.src.rpm
If you wish to verify that each package has not been corrupted or tampered with,
examine the md5sum with the following command: rpm --checksig --nogpg filename
5. Misc.
Terra Soft has setup a moderated mailing list where these security, bugfix, and package
enhancement announcements will be posted. See http://lists.yellowdoglinux.com/ for more
information.
For information regarding the usage of apt-get, see:
http://www.yellowdoglinux.com/support/solutions/ydl_2.2/apt-get.shtml