On Mon, 22 Nov 2004, David Powicki wrote:
What's the word on susceptibility of versions based on the remote vulnerability documented at:
http://security.e-matters.de/advisories/152004.html
Are ALL versions of cyrus pre-2.2.9 vulnerable, including 2.1.X?
If you read the report at the URL he summarizes which versions have which bugs. The PARTIAL and FETCH bugs are there earlier, including in 2.1.x. Both of these are "one byte memory corruption" ... "allows remote code execution, when the heap layout was successfully controlled by the attacker." Heap attacks are more difficult than the usual stack overflow attacks, but it would be smart to upgrade. The relevant portions of the patch between 2.2.8 and 2.2.9 can be applied (most likely by hand) to 2.1.x.
--- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
