Yellow Dog Linux Security Advisory: YDU-20020606-1

Dan Burcaw yellowdog-updates@lists.terrasoftsolutions.com
Thu, 6 Jun 2002 20:00:18 -0600 (MDT) 

Yellow Dog Linux Security Announcement
--------------------------------------

Package:	imap	
Issue Date: 	June 06, 2002	
Priority:	high		
Advisory ID: 	YDU-20020606-1


1. 	Topic:

	Updated imap packages are available.


2. 	Problem:

	"UW imapd is an IMAP daemon from the University of Washington.  Version
	2000c and previous versions have a bug that allows a malicious user to
	construct a malformed request which overflows an internal buffer, enabling
	that user to execute commands on the server with the user's UID/GID. 

	To exploit this problem the user has to have successfully authenticated to
	the imapd service.  Therefore, this vulnerability mainly affects free email
	providers or mail servers where the user has no shell access to the system.
	On other systems, in which the user already has shell access, users can
	already run commands under their own UIDs/GIDs.

	The Common Vulnerabilities and Exposures project (cve.mitre.org) has
	assigned the name CAN-2002-0379 to this issue.

	Users of imapd are advised to upgrade to these errata packages containing
	version 2001a of imapd. They are not vulnerable to this issue."
	(from Red Hat Advisory)


3. 	Solution:

   	a) Updating via apt...
   	We suggest that you use the apt-get program to keep your
   	system up-to-date. The following command(s) will retrieve
   	and install the fixed version of this update onto your system:

		apt-get update
		apt-get install imap

   	b) Updating manually...
   	The update can also be retrieved manually from our ftp site
   	below along with the rpm command that should be used to install
   	the update.  (Please use a mirror site)

   		ftp://ftp.yellowdoglinux.com/pub/yellowdog/updates/yellowdog-2.2/ppc/
		rpm -Fvh imap-2001a-1.72.0.ppc.rpm

4. Verification

MD5 checksum			  Package
--------------------------------  ----------------------------
2681d1e68502578b4e7f0b6c3f4f5ade  ppc/imap-2001a-1.72.0.ppc.rpm
1e0cff5e1c3e804e3c7ca1b560169672  ppc/imap-devel-2001a-1.72.0.ppc.rpm
bf402f779d9a16e701b2f049e83ca341  SRPMS/imap-2001a-1.72.0.src.rpm

If you wish to verify that each package has not been corrupted or tampered with,
examine the md5sum with the following command: rpm --checksig --nogpg filename


5. Misc.

Terra Soft has setup a moderated mailing list where these security, bugfix, and package
enhancement announcements will be posted. See http://lists.yellowdoglinux.com/ for more
information.

For information regarding the usage of apt-get, see:
http://www.yellowdoglinux.com/support/solutions/ydl_2.2/apt-get.shtml