oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CVE Request -- Cyrus-IMAP STARTTLS issue -- [was: Re: [oss-security] pure-ftpd STARTTLS command injection / new CVE?]

From: Josh Bressers <bressers () redhat com>
Date: Tue, 17 May 2011 16:10:11 -0400 (EDT)
Please use CVE-2011-1926.

Thanks.

-- 
    JB


----- Original Message -----

Hello, Josh, Steve, vendors,

it was reported that Cyrus-IMAP is also prone to the CVE-2011-0411
issue (in IMAP, LMTP, NNTP, POP3, .. protocols):
[1] http://bugzilla.cyrusimap.org/show_bug.cgi?id=3424

Relevant upstream patch:
[2]
http://git.cyrusimap.org/cyrus-imapd/patch/?id=523a91a5e86c8b9a27a138f04a3e3f2d8786f162

References:
[3] https://bugzilla.redhat.com/show_bug.cgi?id=705288

To my knowledge the list of CVE-2011-0411 related CVEs:

CVE-2011-0411 Postfix
CVE-2011-1430 Ipswich IMAIL
CVE-2011-1431 1431 netqmail
CVE-2011-1432 SCO Soffice Server
CVE-2011-1575 pure-ftpd

does not include Cyrus case yet (but not sure this list being
complete, so worthy of double-checking).

Could you allocate a CVE id for this?

Thank you & Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

On 04/11/2011 07:19 PM, Mike O'Connor wrote:

:http://www.pureftpd.org/project/pure-ftpd/news
:
:states that pure-ftpd is affected by the same STARTTLS
:injection bug as postifx's CVE-2011-0411.
:
:Is this CVE postfix-specific or can it be used for
:pure-ftpd as well? If needed, can someone assign a new CVE?

It should get its own CVE assignment. Other products with the
same STARTTLS issue have gotten unique CVE assignments for them
-- see CVE-2011-143[012].
Previous By Date Next
Previous By Thread Next

Current thread: