Bug#292606: marked as done (uw-imapd: CRAM-MD5 SASL authentication contains vulnerability)

Thu, 03 Feb 2005 16:23:21 -0800 

Your message dated Thu, 03 Feb 2005 19:02:08 -0500
with message-id <[EMAIL PROTECTED]>
and subject line Bug#292606: fixed in uw-imap 7:2002edebian1-6
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 28 Jan 2005 07:50:04 +0000
>From [EMAIL PROTECTED] Thu Jan 27 23:50:04 2005
Return-path: <[EMAIL PROTECTED]>
Received: from mail17.bluewin.ch [195.186.18.64] 
        by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
        id 1CuQtI-00065P-00; Thu, 27 Jan 2005 23:50:04 -0800
Received: from petertosh (62.202.84.124) by mail17.bluewin.ch (Bluewin AG 
7.0.035)
        id 41DEA2BD001FA9CC; Fri, 28 Jan 2005 07:49:32 +0000
Received: from tpo by petertosh with local (Exim 3.36 #1 (Debian))
        id 1CuQot-0003zr-00; Fri, 28 Jan 2005 08:45:31 +0100
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Tomas Pospisek <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: uw-imapd: CRAM-MD5 SASL authentication contains vulnerability
X-Mailer: reportbug 3.2
Date: Fri, 28 Jan 2005 08:45:30 +0100
Message-Id: <[EMAIL PROTECTED]>
Sender: Tomas Pospisek <[EMAIL PROTECTED]>
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
        (1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE 
        autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level: 

Package: uw-imapd
Severity: grave
Justification: user security hole

The following email appearead on the c-client mailing list today. Thus I
suppose the currenlty shipping libc-client is vulnerable too:


>From [EMAIL PROTECTED] Fri Jan 28 08:33:16 2005
Date: Thu, 27 Jan 2005 14:23:14 -0800 (Pacific Standard Time)
From: Mark Crispin <[EMAIL PROTECTED]>
To: c-client Interest List <[EMAIL PROTECTED]>,
     [EMAIL PROTECTED]
Subject: vulnerability and fix in UW imapd

Problem:

Versions of UW imapd released prior to January 4, 2005 fail to properly 
authenticate users when using CRAM-MD5 SASL authentication.


Details:

The University of Washington IMAP server features multiple user 
authentication methods, including the Challenge-Response Authentication 
Mechanism with MD5 (CRAM-MD5) as defined by RFC2195.  A logic error in the 
code that handles CRAM-MD5 incorrectly specifies the conditions of 
successful authentication.  This error results in a vulnerability that 
could allow a remote attacker to successfully authenticate as any user on 
the target system.


Impact limitation:

This vulnerability ONLY affects sites that have explicitly enabled 
CRAM-MD5 style authentication by creating an /etc/cram-md5.pwd file. 
CRAM-MD5 style authentication is NOT enabled in the default configuration 
of UW imapd.

Consequently, sites which do not use CRAM-MD5 style authentication (the 
majority of UW imapd sites) are NOT vulnerable.  An IMAP server which does 
not advertise CRAM-MD5 style authentication is NOT vulnerable.


Workaround:

If the site uses CRAM-MD5 style authentication, delete or rename the 
/etc/cram-md5.pwd file to some other name.  Note that doing so will revert 
all passwords to those in the UNIX password system.


Solution:

This problem is fixed in the January 4, 2005 release version of imap-2004b 
and in all subsequent versions (the current release version is 
imap-2004c1).  This problem is also fixed in the UW imapd version bundled 
with Pine version 4.62.

The current release version of UW imapd is available at:
        ftp://ftp.cac.washington.edu/mail/imap.tar.Z

The current release version of Pine is available at:
        http://www.washington.edu/pine/getpine
        ftp://ftp.cac.washington.edu/pine/

For more details about this issue, please refer to:
        http://www.kb.cert.org/vuls/id/702777

-- Mark --

http://staff.washington.edu/mrc
Science does not emerge from voting, party politics, or public debate.
Si vis pacem, para bellum.
-- 
------------------------------------------------------------------
 For information about this mailing list, and its archives, see: 
 http://www.washington.edu/imap/c-client-list.html
------------------------------------------------------------------



-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.4.22
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

Versions of packages uw-imapd depends on:
ii  debconf                 1.4.30.11        Debian configuration management sy
ii  libc-client2002edebian  7:2002edebian1-4 UW c-client library for mail proto
ii  libc6                   2.3.2.ds1-20     GNU C Library: Shared libraries an
ii  libcomerr2              1.35-6           The Common Error Description libra
ii  libkrb53                1.3.6-1          MIT Kerberos runtime libraries
ii  libpam-runtime          0.76-22          Runtime support for the PAM librar
ii  libpam0g                0.76-22          Pluggable Authentication Modules l
ii  libssl0.9.7             0.9.7e-2         SSL shared libraries
ii  openssl                 0.9.7e-2         Secure Socket Layer (SSL) binary a

---------------------------------------
Received: (at 292606-close) by bugs.debian.org; 4 Feb 2005 00:08:03 +0000
>From [EMAIL PROTECTED] Thu Feb 03 16:08:02 2005
Return-path: <[EMAIL PROTECTED]>
Received: from newraff.debian.org [208.185.25.31] (mail)
        by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
        id 1Cwr10-0003HF-00; Thu, 03 Feb 2005 16:08:02 -0800
Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian))
        id 1CwqvI-0005fd-00; Thu, 03 Feb 2005 19:02:08 -0500
From: Jonas Smedegaard <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
X-Katie: $Revision: 1.55 $
Subject: Bug#292606: fixed in uw-imap 7:2002edebian1-6
Message-Id: <[EMAIL PROTECTED]>
Sender: Archive Administrator <[EMAIL PROTECTED]>
Date: Thu, 03 Feb 2005 19:02:08 -0500
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
        (1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER 
        autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level: 

Source: uw-imap
Source-Version: 7:2002edebian1-6

We believe that the bug you reported is fixed in the latest version of
uw-imap, which is due to be installed in the Debian FTP archive:

ipopd-ssl_2002edebian1-6_all.deb
  to pool/main/u/uw-imap/ipopd-ssl_2002edebian1-6_all.deb
ipopd_2002edebian1-6_powerpc.deb
  to pool/main/u/uw-imap/ipopd_2002edebian1-6_powerpc.deb
libc-client-dev_2002edebian1-6_powerpc.deb
  to pool/main/u/uw-imap/libc-client-dev_2002edebian1-6_powerpc.deb
libc-client2002edebian_2002edebian1-6_powerpc.deb
  to pool/main/u/uw-imap/libc-client2002edebian_2002edebian1-6_powerpc.deb
mlock_2002edebian1-6_powerpc.deb
  to pool/main/u/uw-imap/mlock_2002edebian1-6_powerpc.deb
uw-imap_2002edebian1-6.diff.gz
  to pool/main/u/uw-imap/uw-imap_2002edebian1-6.diff.gz
uw-imap_2002edebian1-6.dsc
  to pool/main/u/uw-imap/uw-imap_2002edebian1-6.dsc
uw-imapd-ssl_2002edebian1-6_all.deb
  to pool/main/u/uw-imap/uw-imapd-ssl_2002edebian1-6_all.deb
uw-imapd_2002edebian1-6_powerpc.deb
  to pool/main/u/uw-imap/uw-imapd_2002edebian1-6_powerpc.deb
uw-mailutils_2002edebian1-6_powerpc.deb
  to pool/main/u/uw-imap/uw-mailutils_2002edebian1-6_powerpc.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jonas Smedegaard <[EMAIL PROTECTED]> (supplier of updated uw-imap package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Thu,  3 Feb 2005 20:22:23 +0100
Source: uw-imap
Binary: libc-client2002edebian uw-imapd libc-client-dev mlock ipopd ipopd-ssl 
uw-imapd-ssl uw-mailutils
Architecture: source all powerpc
Version: 7:2002edebian1-6
Distribution: unstable
Urgency: high
Maintainer: Jonas Smedegaard <[EMAIL PROTECTED]>
Changed-By: Jonas Smedegaard <[EMAIL PROTECTED]>
Description: 
 ipopd      - POP2 and POP3 servers from UW
 ipopd-ssl  - Dummy upgrade package for ipopd
 libc-client-dev - UW c-client library for mail protocols
 libc-client2002edebian - UW c-client library for mail protocols
 mlock      - Mailbox locking program from UW
 uw-imapd   - remote mail folder access server
 uw-imapd-ssl - Dummy upgrade package for uw-imapd
 uw-mailutils - C-client support programs from UW
Closes: 292606 293418
Changes: 
 uw-imap (7:2002edebian1-6) unstable; urgency=high
 .
   * Fix CERT security bug VU#702777: CRAM-MD5 authentication (disabled
     by default in Debian) would always grant access after 4 failed
     attempts. This closes: bug#292606, #293418 (thanks to Tomas Pospisek
     <[EMAIL PROTECTED]> for first reporting it and Martin Schulze
     <[EMAIL PROTECTED]> for providing a patch).
   * Set urgency=high due to above security fix.
   * Update local cdbs snippets:
     + buildinfo.mk: Make it actually work (tie to proper targets).
     + debhelper.mk: Add CDBS_BUILD_DEPENDS.
     + bts.mk: Make a test more quiet.
Files: 
 1033d18ff70d48972a34a9ba9ee6e5e9 771 mail optional uw-imap_2002edebian1-6.dsc
 55432671e26d994dfe8c88c8be4bc214 81715 mail optional 
uw-imap_2002edebian1-6.diff.gz
 c6b008cdd2be460a054baa42ca84efdd 19504 mail optional 
uw-imapd-ssl_2002edebian1-6_all.deb
 8ba960aafc51439676a7771bc76c2a30 19494 mail optional 
ipopd-ssl_2002edebian1-6_all.deb
 78af18326b83e0ece97ed9cb665bcfa5 67932 mail optional 
uw-imapd_2002edebian1-6_powerpc.deb
 d05b4a5a4dfd05344a4cb9609edcf10a 42330 mail optional 
ipopd_2002edebian1-6_powerpc.deb
 00ec85a065ce820a7ad7e817dc460f3a 1367906 libdevel optional 
libc-client-dev_2002edebian1-6_powerpc.deb
 db241d8b61979a5248694c9baa137ff6 583856 libs optional 
libc-client2002edebian_2002edebian1-6_powerpc.deb
 009f3b6eb5269a64b0487cc577a0c3b0 25216 mail optional 
mlock_2002edebian1-6_powerpc.deb
 3eac2a5918c0c04a0b90931136bcec6e 49056 mail optional 
uw-mailutils_2002edebian1-6_powerpc.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFCAoGIn7DbMsAkQLgRAgM8AJ47EY+BSrbuC3w8t6LllFeC8Ns4PwCeJbwf
Ro7+iZABkFuLrVsSxpRARgA=
=YDa9
-----END PGP SIGNATURE-----


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to