oss-sec mailing list archives
Re: CVE Request -- Cyrus-IMAP STARTTLS issue -- [was: Re: [oss-security] pure-ftpd STARTTLS command injection / new CVE?]
From: Josh Bressers <bressers () redhat com>
Date: Tue, 17 May 2011 16:10:11 -0400 (EDT)
Please use CVE-2011-1926. Thanks. -- JB ----- Original Message -----
Hello, Josh, Steve, vendors, it was reported that Cyrus-IMAP is also prone to the CVE-2011-0411 issue (in IMAP, LMTP, NNTP, POP3, .. protocols): [1] http://bugzilla.cyrusimap.org/show_bug.cgi?id=3424 Relevant upstream patch: [2] http://git.cyrusimap.org/cyrus-imapd/patch/?id=523a91a5e86c8b9a27a138f04a3e3f2d8786f162 References: [3] https://bugzilla.redhat.com/show_bug.cgi?id=705288 To my knowledge the list of CVE-2011-0411 related CVEs: CVE-2011-0411 Postfix CVE-2011-1430 Ipswich IMAIL CVE-2011-1431 1431 netqmail CVE-2011-1432 SCO Soffice Server CVE-2011-1575 pure-ftpd does not include Cyrus case yet (but not sure this list being complete, so worthy of double-checking). Could you allocate a CVE id for this? Thank you & Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team On 04/11/2011 07:19 PM, Mike O'Connor wrote::http://www.pureftpd.org/project/pure-ftpd/news : :states that pure-ftpd is affected by the same STARTTLS :injection bug as postifx's CVE-2011-0411. : :Is this CVE postfix-specific or can it be used for :pure-ftpd as well? If needed, can someone assign a new CVE? It should get its own CVE assignment. Other products with the same STARTTLS issue have gotten unique CVE assignments for them -- see CVE-2011-143[012].
Current thread:
- pure-ftpd STARTTLS command injection / new CVE? Sebastian Krahmer (Apr 11)
- Re: pure-ftpd STARTTLS command injection / new CVE? Mike O'Connor (Apr 11)
- Re: pure-ftpd STARTTLS command injection / new CVE? Steven M. Christey (Apr 11)
- CVE Request -- Cyrus-IMAP STARTTLS issue -- [was: Re: [oss-security] pure-ftpd STARTTLS command injection / new CVE?] Jan Lieskovsky (May 17)
- Re: CVE Request -- Cyrus-IMAP STARTTLS issue -- [was: Re: [oss-security] pure-ftpd STARTTLS command injection / new CVE?] Josh Bressers (May 17)
- Re: pure-ftpd STARTTLS command injection / new CVE? Josh Bressers (Apr 11)
- Re: pure-ftpd STARTTLS command injection / new CVE? Mike O'Connor (Apr 11)