Bug#547947: marked as done (CVE-2009-3235: CMU sieve buffer overflows)

Debian Bug Tracking System Tue, 22 Sep 2009 21:43:51 -0700

Your message dated Wed, 23 Sep 2009 04:33:44 +0000
with message-id <e1mqjy0-0006hc...@ries.debian.org>
and subject line Bug#547947: fixed in cyrus-imapd-2.2 2.2.13-17
has caused the Debian Bug report #547947,
regarding CVE-2009-3235: CMU sieve buffer overflows
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
547947: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=547947
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: cyrus-imapd-2.2
Severity: grave
Tags: security patch

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for cyrus-imapd-2.2.

CVE-2009-3235[0]:
| Multiple stack-based buffer overflows in the Sieve plugin in Dovecot
| 1.0 before 1.0.4 and 1.1 before 1.1.7, as derived from Cyrus libsieve,
| allow context-dependent attackers to cause a denial of service (crash)
| and possibly execute arbitrary code via a crafted SIEVE script, as
| demonstrated by forwarding an e-mail message to a large number of
| recipients, a different vulnerability than CVE-2009-2632.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3235
    http://security-tracker.debian.net/tracker/CVE-2009-3235
    Patch: 
https://bugzilla.andrew.cmu.edu/cgi-bin/cvsweb.cgi/src/sieve/sieve.y.diff?r1=1.40;r2=1.41;f=h
           
https://bugzilla.andrew.cmu.edu/cgi-bin/cvsweb.cgi/src/sieve/bc_eval.c.diff?r1=1.14;r2=1.15;f=h
           
https://bugzilla.andrew.cmu.edu/cgi-bin/cvsweb.cgi/src/sieve/script.c.diff?r1=1.68;r2=1.69;f=h


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkq5EW4ACgkQNxpp46476arebACgh+bpQP8IA3eIpE7he2+zF1jS
wN8An1RVJ0YibCNe7VtIcG3sbje1xsEI
=nZP+
-----END PGP SIGNATURE-----

--- End Message ---

--- Begin Message ---

Source: cyrus-imapd-2.2
Source-Version: 2.2.13-17

We believe that the bug you reported is fixed in the latest version of
cyrus-imapd-2.2, which is due to be installed in the Debian FTP archive:

cyrus-admin-2.2_2.2.13-17_all.deb
  to pool/main/c/cyrus-imapd-2.2/cyrus-admin-2.2_2.2.13-17_all.deb
cyrus-clients-2.2_2.2.13-17_i386.deb
  to pool/main/c/cyrus-imapd-2.2/cyrus-clients-2.2_2.2.13-17_i386.deb
cyrus-common-2.2_2.2.13-17_i386.deb
  to pool/main/c/cyrus-imapd-2.2/cyrus-common-2.2_2.2.13-17_i386.deb
cyrus-dev-2.2_2.2.13-17_i386.deb
  to pool/main/c/cyrus-imapd-2.2/cyrus-dev-2.2_2.2.13-17_i386.deb
cyrus-doc-2.2_2.2.13-17_all.deb
  to pool/main/c/cyrus-imapd-2.2/cyrus-doc-2.2_2.2.13-17_all.deb
cyrus-imapd-2.2_2.2.13-17.diff.gz
  to pool/main/c/cyrus-imapd-2.2/cyrus-imapd-2.2_2.2.13-17.diff.gz
cyrus-imapd-2.2_2.2.13-17.dsc
  to pool/main/c/cyrus-imapd-2.2/cyrus-imapd-2.2_2.2.13-17.dsc
cyrus-imapd-2.2_2.2.13-17_i386.deb
  to pool/main/c/cyrus-imapd-2.2/cyrus-imapd-2.2_2.2.13-17_i386.deb
cyrus-murder-2.2_2.2.13-17_i386.deb
  to pool/main/c/cyrus-imapd-2.2/cyrus-murder-2.2_2.2.13-17_i386.deb
cyrus-nntpd-2.2_2.2.13-17_i386.deb
  to pool/main/c/cyrus-imapd-2.2/cyrus-nntpd-2.2_2.2.13-17_i386.deb
cyrus-pop3d-2.2_2.2.13-17_i386.deb
  to pool/main/c/cyrus-imapd-2.2/cyrus-pop3d-2.2_2.2.13-17_i386.deb
libcyrus-imap-perl22_2.2.13-17_i386.deb
  to pool/main/c/cyrus-imapd-2.2/libcyrus-imap-perl22_2.2.13-17_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 547...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Henrique de Moraes Holschuh <h...@debian.org> (supplier of updated 
cyrus-imapd-2.2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 22 Sep 2009 17:17:17 -0300
Source: cyrus-imapd-2.2
Binary: cyrus-common-2.2 cyrus-doc-2.2 cyrus-imapd-2.2 cyrus-pop3d-2.2 
cyrus-admin-2.2 cyrus-murder-2.2 cyrus-nntpd-2.2 cyrus-clients-2.2 
cyrus-dev-2.2 libcyrus-imap-perl22
Architecture: source all i386
Version: 2.2.13-17
Distribution: unstable
Urgency: high
Maintainer: Henrique de Moraes Holschuh <h...@debian.org>
Changed-By: Henrique de Moraes Holschuh <h...@debian.org>
Description: 
 cyrus-admin-2.2 - Cyrus mail system - administration tools
 cyrus-clients-2.2 - Cyrus mail system (test clients)
 cyrus-common-2.2 - Cyrus mail system - common files
 cyrus-dev-2.2 - Cyrus mail system (developer files)
 cyrus-doc-2.2 - Cyrus mail system - documentation files
 cyrus-imapd-2.2 - Cyrus mail system - IMAP support
 cyrus-murder-2.2 - Cyrus mail system (proxies and aggregator)
 cyrus-nntpd-2.2 - Cyrus mail system (NNTP support)
 cyrus-pop3d-2.2 - Cyrus mail system - POP3 support
 libcyrus-imap-perl22 - Interface to Cyrus imap client imclient library
Closes: 547947
Changes: 
 cyrus-imapd-2.2 (2.2.13-17) unstable; urgency=high
 .
   * Security Update: CVE-2009-3235:
     Multiple stack-based buffer overflows in the Sieve parsing code,
     patches taken from upstream CVS (closes: #547947)
Checksums-Sha1: 
 dd9c7bce7171080c1ce040de9067708b983a01af 2188 cyrus-imapd-2.2_2.2.13-17.dsc
 2377d8ddbb121111f62790041c2819ab74eabdb1 264147 
cyrus-imapd-2.2_2.2.13-17.diff.gz
 3e327104046b62afba9a75433277b5b7095f4792 223104 cyrus-doc-2.2_2.2.13-17_all.deb
 f5aa48ebbb85c7f0ce11922c50653f01b97e187e 82862 
cyrus-admin-2.2_2.2.13-17_all.deb
 fcd6efb6062f0e94ba65c73626ad123ca2fd58ec 5569126 
cyrus-common-2.2_2.2.13-17_i386.deb
 898aab0b6eea88cbf80756367b5e2ca4cdd63239 914888 
cyrus-imapd-2.2_2.2.13-17_i386.deb
 cd3571d823634b7b27533410fc5edbd821faea95 273748 
cyrus-pop3d-2.2_2.2.13-17_i386.deb
 f8853944bb29577f53ee9dcbe474981d89a4f53a 1108422 
cyrus-murder-2.2_2.2.13-17_i386.deb
 13ae41b06da71c9f5119c1b4233645530fc7c442 593234 
cyrus-nntpd-2.2_2.2.13-17_i386.deb
 e32d6d2a6655e86c7e93bb43bd1d415da73eb31f 131102 
cyrus-clients-2.2_2.2.13-17_i386.deb
 31a010d27bfc87b9101933a06e2d549bbcf850be 264628 
cyrus-dev-2.2_2.2.13-17_i386.deb
 8c65671522aec415ba6de39158756c1aeef577aa 181834 
libcyrus-imap-perl22_2.2.13-17_i386.deb
Checksums-Sha256: 
 c2f32f4b88921c30d2035db1dfd5b8ed314ddb03522bf5893dffab89f14de1e0 2188 
cyrus-imapd-2.2_2.2.13-17.dsc
 bf1bf78334c63904a859683146415abe4fb76bbdb737ebacef9289439d6821c5 264147 
cyrus-imapd-2.2_2.2.13-17.diff.gz
 30f310edab9b9564ff2b61718c242e23fe1ade73173862d4c5ef71cb2ee79809 223104 
cyrus-doc-2.2_2.2.13-17_all.deb
 27e3d4cfe6a272f2e6db9c19161e0ae1f8ea434f835b6ce97a3f0c2d720ffcd8 82862 
cyrus-admin-2.2_2.2.13-17_all.deb
 c889117ca6ac3ca9cb77b6f7fdf498e238914e6a6e128ca52b9699845809f5d1 5569126 
cyrus-common-2.2_2.2.13-17_i386.deb
 225274b752f52db89207477a0748c1e7a8a08d367a9a0fb618aba910f31219c6 914888 
cyrus-imapd-2.2_2.2.13-17_i386.deb
 7e6f81846093e188826d59258bacfe1f32aea352bbcf47ab3988dc8d57103a44 273748 
cyrus-pop3d-2.2_2.2.13-17_i386.deb
 aad792dfe0ad3fae19f6393d5412418d7c8a4a65cd493330362ce3afbbfa62a9 1108422 
cyrus-murder-2.2_2.2.13-17_i386.deb
 42314027327d30de0943b6180df79ba3d3fc2118c90028450dfdef572c2af10c 593234 
cyrus-nntpd-2.2_2.2.13-17_i386.deb
 51b6d28055c5496c1ab6283db542e5382f0681ea4a9cd40cf00696ded84dd199 131102 
cyrus-clients-2.2_2.2.13-17_i386.deb
 ff8f2b71d759041dfe8b5c26d256fb59428ca3e1a8b9dafb0806ada8ed9a5fa5 264628 
cyrus-dev-2.2_2.2.13-17_i386.deb
 1327ccec366134a8709adc48c6a7e3bdc1cdb6bbd33f048465d2152951635b3e 181834 
libcyrus-imap-perl22_2.2.13-17_i386.deb
Files: 
 a63485b82141fb19bc27bf2c7d2dd093 2188 mail extra cyrus-imapd-2.2_2.2.13-17.dsc
 1df5acae785f5935618033bac2693250 264147 mail extra 
cyrus-imapd-2.2_2.2.13-17.diff.gz
 2ff32d7770238bc5297c6dc81a7195ae 223104 doc extra 
cyrus-doc-2.2_2.2.13-17_all.deb
 26fa1e619890f4aaa4572b8b8fa8acab 82862 mail extra 
cyrus-admin-2.2_2.2.13-17_all.deb
 83152af1491876f4058f6fa6920ed071 5569126 mail extra 
cyrus-common-2.2_2.2.13-17_i386.deb
 cc8a952ff767c0bfd7049a3eba8c0440 914888 mail extra 
cyrus-imapd-2.2_2.2.13-17_i386.deb
 b5ea42d096d51378664a69936cb93ab1 273748 mail extra 
cyrus-pop3d-2.2_2.2.13-17_i386.deb
 b235a2be339db99e89b88bbbe386030a 1108422 mail extra 
cyrus-murder-2.2_2.2.13-17_i386.deb
 684b396ff23dd4bee26ac7a9f6eb7573 593234 mail extra 
cyrus-nntpd-2.2_2.2.13-17_i386.deb
 5f92397b1c2bb919f01c16904eef5021 131102 mail extra 
cyrus-clients-2.2_2.2.13-17_i386.deb
 29d70bae4d46149dcbe86994e89d1ffc 264628 devel extra 
cyrus-dev-2.2_2.2.13-17_i386.deb
 2000b0b07235264eed63fb0f38c5234a 181834 perl extra 
libcyrus-imap-perl22_2.2.13-17_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iQEcBAEBCgAGBQJKuYpwAAoJEKwN24xXhzJzdbcH/09Bv+pZ6uKb9H/jgzDYpEn2
S8ZELf/FL/s5aR9V1U7ICVUvqZmycqtC+7X4/TrZzkn16sY4275ueiU4IV8XAfhW
SHUAOU3tWOJ2FPP0p/68/zMf44enFYKkTeMnkU/rpGXYJK4P5dM2ZCfPy5tEHBtA
LOQaJZ9dayYc7qAWf6+LiGxb3hkzDbGg/FPKzcV5AF4WLWPXdUmQ0IBjUOccYyne
Zc0DygSPi4h0mksnJO88X2xaJKhDDN7FEiXbAs6n6mk25FF1aDzysuQZaIRLsdYZ
XJLGHq6QM06SO7rsQXg46RwXgqI70EsGvsZCzUmSZueOPDrtQRF5slM+2xIST10=
=/SVc
-----END PGP SIGNATURE-----

--- End Message ---

Bug#547947: marked as done (CVE-2009-3235: CMU sieve buffer overflows)

Reply via email to