Bug 97344
| Summary: | CAN-2003-0297 c-client imap issue | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 2.1 | Reporter: | Mark J. Cox <mjc> | ||||
| Component: | imap | Assignee: | John Dennis <jdennis> | ||||
| Status: | CLOSED ERRATA | QA Contact: | David Lawrence <dkl> | ||||
| Severity: | low | Docs Contact: | |||||
| Priority: | medium | ||||||
| Version: | 2.1 | CC: | bressers | ||||
| Target Milestone: | --- | Keywords: | Security | ||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| URL: | http://marc.theaimsgroup.com/?l=bugtraq&m=105294024124163 | ||||||
| Whiteboard: | Other, impact=low,public=20030514 | ||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2005-02-18 15:16:22 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
|
Description
Mark J. Cox
2003-06-13 13:06:41 UTC
According to the link below the 2001a implementation that was shipped in RHL-9 would not have had the security violation unless it had been specifically defeated. Unfortunately our CVS does not go back long enough to look at all the spec files but I'd be surprised if we defeated it. Also, in the link below and a search on the UW web site I was not able to find a reference to the security issue cited about, where did this come from? Since UW does not reference this issue I'll need some more details. http://www.washington.edu/imap/buffer.html Here are the original details: http://marc.theaimsgroup.com/?l=bugtraq&m=105294024124163&w=2 I believe this to be a different issue to the one in the URL you refer to. Leaving as security status until otherwise determined. O.K. thanks. Our current release is imap2002c, I see that imap2002d was recently released. imap2002c is sufficient but we might as well go to imap2002d. I will upgrade dist-10 and file and errata for dist-9. BTW, from my reading this is a very low risk issue from a security standpoint, it seems like the worse that would happen is someones mailreader would crash, but we might as well fix it anyway. Opps ... I was wrong, I said we were at 2002c but I had already updated dist-10 and dist-3.0E with 2002d which is the latest, so we're golden there. I think all I need to do is file an errata against dist-9 to bring it up to 2002d. Errata RHSA-2003:266-02 for RHL 9 was generated. leaving in modified state until the errata is published at which point this bug will be automatically closed. This issue affects imap-2001a in RHEL2.1. Patch to follow. Created attachment 107826 [details]
Patch (offsets may be wrong)
John, What are the odds of getting this fixed in the near future? In all honesty this to some degree is your call. I've been asked to focus on new product development and put package maintence on the back burner. I also just finished begging permission to finish some dovecot updates, our UW imap replacement. Of course security concerns trump all. This particular issue has lingered in 2.1 for quite a while now. If you feel this needs immediate attention at this juncture you need only say so and I'll go to my manager. An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2005-114.html |