Name CAN-2005-0198 (under review) Description A logic error in the CRAM-MD5 code for the University of Washington IMAP (UW-IMAP) server, when Challenge-Response Authentication Mechanism with MD5 (CRAM-MD5) is enabled, does not properly enforce all the required conditions for successful authentication, which allows remote attackers to authenticate as arbitrary users. RHEL3 fixed this: http://www.redhat.com/support/errata/RHSA-2005-128.html on RHEL21, this was not fixed but they fixed a 1.5 year-old low priority "server crashes the client" vulnerability (fix for imap and pine): http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0297 http://rhn.redhat.com/errata/RHSA-2005-114.html http://www.redhat.com/support/errata/RHSA-2005-015.html It seems that we should fix CAN-2005-0198, but probably shouldn't bother with CAN-2003-0297 unless we have other reasons to update the packages. ------- Additional Comments From marcdeslauriers 2005-03-03 18:28:21 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Here are updated packages to QA: rh73 & rh9 changelog: * Thu Mar 03 2005 Marc Deslauriers <marcdeslauriers> 2001a-10.1.legacy - - Added security patch for CAN-2003-0297 fc1 changelog: * Thu Mar 03 2005 Marc Deslauriers <marcdeslauriers> 1:2002d-3.1.legacy - - Added patch for CAN-2005-0198 rh73: bbdaea4902b2289c9558441a8990afbe0a1f30d6 imap-2001a-10.1.legacy.i386.rpm 65da3900c03c2cbdc6d89778d915ef7265bb0cef imap-2001a-10.1.legacy.src.rpm 2db42fa17b2af9b5dfb60d1c79faf1c3746ecdff imap-devel-2001a-10.1.legacy.i386.rpm rh9: b0ea966dd91a8a6fc2dd92dd9a55ba4f49654577 imap-2001a-18.1.legacy.i386.rpm 66aef67093c25d67aee7b00049acf4fa54a5c284 imap-2001a-18.1.legacy.src.rpm b4420cef56d3035a0c538e1ac98fe67a3efb0678 imap-devel-2001a-18.1.legacy.i386.rpm fc1: 541b35503957b977f332e4cc6241ff2c9de21d9f imap-2002d-3.1.legacy.i386.rpm c187aa10a2d8bd88e33495a3b0706cdabf7af076 imap-2002d-3.1.legacy.src.rpm 2a10d2746554520651a5b49efae58781fc6407ac imap-devel-2002d-3.1.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/7.3/imap-2001a-10.1.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/7.3/imap-2001a-10.1.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/7.3/imap-devel-2001a-10.1.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/9/imap-2001a-18.1.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/9/imap-2001a-18.1.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/9/imap-devel-2001a-18.1.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/1/imap-2002d-3.1.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/1/imap-2002d-3.1.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/1/imap-devel-2002d-3.1.legacy.i386.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFCJ+PWLMAs/0C4zNoRApluAKCMS1yzd12reuQqAfKYofVuwx/TLwCdGEEr //Vm6pOsfdw8zNwaB47NbLE= =r0K4 -----END PGP SIGNATURE----- ------- Additional Comments From pekkas 2005-03-03 21:06:48 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 QA for the rpms: - source integrity OK - spec file changes OK - patches verified to come from upstream * note that to really fix 2003-0297, we'd also need to rebuild the packages using c-client, e.g., pine. But I suggest we defer that for now. +PUBLISH RHL73,RHL9,FC1 65da3900c03c2cbdc6d89778d915ef7265bb0cef imap-2001a-10.1.legacy.src.rpm 66aef67093c25d67aee7b00049acf4fa54a5c284 imap-2001a-18.1.legacy.src.rpm c187aa10a2d8bd88e33495a3b0706cdabf7af076 imap-2002d-3.1.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFCKAjYGHbTkzxSL7QRAv37AJ90oYrLDxVshAnthhMJuar5iKleOgCcCFMs jeYXT9Tte2znFbEzCDWGZS8= =ui92 -----END PGP SIGNATURE----- ------- Additional Comments From marcdeslauriers 2005-03-07 17:22:19 ---- Packages pushed to updates-testing ------- Additional Comments From madhatter 2005-03-08 01:25:30 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 f4998e31f0121b54e6b618007a6c1a7ff8a08182 imap-2001a-18.1.legacy.i386.rpm installs OK, can log into IMAP with PINE (4.61), read messages, browse folders, move messages between folders, delete and expunge messages. +VERIFY RH9 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFCLYtcePtvKV31zw4RAqkxAJ9L7qvLZNLHlpsAwVG0b4WczR24JwCfc2+J jdaFDzJyqEJwmur7AUtJB50= =ZML0 -----END PGP SIGNATURE----- ------- Additional Comments From pekkas 2005-03-16 11:16:20 ---- ----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 QA for RHL73: - GPG signature OK - installs OK - Horde/IMP works OK. First there were problems, because IMP must be taught to accept self-signed certificates, and earlier I had disabled SSL, so php-imap wouldn't even try to do STARTTLS. But this was not an issue with the packaging. +VERIFY RHL73 3dac230d4b4ed898d1adaf3e58ce5b13e80159dc imap-2001a-10.1.legacy.i386.rpm 766f42e2292693d1b0500dc151823d13382595c5 imap-devel-2001a-10.1.legacy.i386.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFCOKHeGHbTkzxSL7QRArqSAKCRqlpVnxMWcD0as6QGXGRAqYlYkgCgrzHq 8JLN1qRX3rBCYLhsM1x8DLI= =LmLV -----END PGP SIGNATURE----- ------- Bug moved to this database by dkl 2005-03-30 18:31 ------- This bug previously known as bug 2443 at https://bugzilla.fedora.us/ https://bugzilla.fedora.us/show_bug.cgi?id=2443 Originally filed under the Fedora Legacy product and General component. Unknown priority P2. Setting to default priority "normal". Unknown platform PC. Setting to default platform "All". Unknown severity major. Setting to default severity "normal". Setting qa contact to the default for this product. This bug either had no qa contact or an invalid one.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I did QA the packages rh9: f4998e31f0121b54e6b618007a6c1a7ff8a08182 redhat/9/updates-testing/i386/imap-2001a-18.1.legacy.i386.rpm d99cd4c0c0c83328a309c0263682dfbaa4e752ed redhat/9/updates-testing/i386/imap-devel-2001a-18.1.legacy.i386.rpm 6f8cac716e78dfcfe307dc5b4db6c604e2f47049 redhat/9/updates-testing/SRPMS/imap-2001a-18.1.legacy.src.rpm fc1: 69ef237bbd50fc425e00be7093d3de1ddd919de1 fedora/1/updates-testing/i386/imap-2002d-3.1.legacy.i386.rpm 028d73692c13e4182788605987d246629e24df07 fedora/1/updates-testing/i386/imap-devel-2002d-3.1.legacy.i386.rpm 732db7ca229fc939456a2db14ae65c46f2fd7586 fedora/1/updates-testing/SRPMS/imap-2002d-3.1.legacy.src.rpm sha1sum matches rpm signature ok source files ok spec file ok patches ok (v.s. RHEL's Patch) src rebuilds ok rpm-build-compare script ok installs ok runs ok +PUBLISH -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQFCfstLuZYb5AhVqVoRAt+6AKDNJMPvvpfdkbrVQtnt8uYeTFpq1QCghoqK sUMJGI2ysHNYhQRTG2Wk1wg= =DhYf -----END PGP SIGNATURE-----
Umm.. the package only lacks verify for FC1, but additional testing of course doesn't hurt :-)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 FC1 Verify: sha1 69ef237bbd50fc425e00be7093d3de1ddd919de1 imap-2002d-3.1.legacy.i386.rpm signature: imap-2002d-3.1.legacy.i386.rpm: Header V3 DSA signature: OK, key ID 731002fa Header SHA1 digest: OK (894ccd0f1284710cc8eb8708d717049a29982ec3) MD5 digest: OK (f2990fd9077abbb35cb5e391b7e6b216) V3 DSA signature: OK, key ID 731002fa installed without any warnings or errors work normally can log in, read / delete messages etc. +VERIFY FC1 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (FreeBSD) iD8DBQFCgD5S+CqvSzp9LOwRAgjFAJ988u/NAV3GdEPgKTnZxD8P6b2d+QCZAYdl fd5cFrrCEaWgMaXH9ylw5tc= =EW8L -----END PGP SIGNATURE-----
Released to updates