Bug 152912 - CAN-2003-0297,CAN-2005-0198 imap bugs
CAN-2003-0297,CAN-2005-0198 imap bugs
Status: CLOSED ERRATA
Product: Fedora Legacy
Classification: Retired
Component: imap (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Fedora Legacy Bugs
1, LEGACY, rh73, rh90
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-02-28 20:32 EST by Pekka Savola
Modified: 2007-04-18 13:22 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-05-12 20:53:15 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description David Lawrence 2005-03-30 18:31:48 EST
Name 	CAN-2005-0198 (under review)
Description 	A logic error in the CRAM-MD5 code for the University of Washington
IMAP (UW-IMAP) server, when Challenge-Response Authentication Mechanism with MD5
(CRAM-MD5) is enabled, does not properly enforce all the required conditions for
successful authentication, which allows remote attackers to authenticate as
arbitrary users.

RHEL3 fixed this:

http://www.redhat.com/support/errata/RHSA-2005-128.html

on RHEL21, this was not fixed but they fixed a 1.5 year-old low priority "server
crashes the client" vulnerability (fix for imap and pine):

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0297
http://rhn.redhat.com/errata/RHSA-2005-114.html
http://www.redhat.com/support/errata/RHSA-2005-015.html

It seems that we should fix CAN-2005-0198, but probably shouldn't bother with
CAN-2003-0297 unless we have other reasons to update the packages.



------- Additional Comments From marcdeslauriers@videotron.ca 2005-03-03 18:28:21 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are updated packages to QA:

rh73 & rh9 changelog:
* Thu Mar 03 2005 Marc Deslauriers <marcdeslauriers@videotron.ca> 2001a-10.1.legacy
- - Added security patch for CAN-2003-0297

fc1 changelog:
* Thu Mar 03 2005 Marc Deslauriers <marcdeslauriers@videotron.ca> 1:2002d-3.1.legacy
- - Added patch for CAN-2005-0198

rh73:
bbdaea4902b2289c9558441a8990afbe0a1f30d6  imap-2001a-10.1.legacy.i386.rpm
65da3900c03c2cbdc6d89778d915ef7265bb0cef  imap-2001a-10.1.legacy.src.rpm
2db42fa17b2af9b5dfb60d1c79faf1c3746ecdff  imap-devel-2001a-10.1.legacy.i386.rpm

rh9:
b0ea966dd91a8a6fc2dd92dd9a55ba4f49654577  imap-2001a-18.1.legacy.i386.rpm
66aef67093c25d67aee7b00049acf4fa54a5c284  imap-2001a-18.1.legacy.src.rpm
b4420cef56d3035a0c538e1ac98fe67a3efb0678  imap-devel-2001a-18.1.legacy.i386.rpm

fc1:
541b35503957b977f332e4cc6241ff2c9de21d9f  imap-2002d-3.1.legacy.i386.rpm
c187aa10a2d8bd88e33495a3b0706cdabf7af076  imap-2002d-3.1.legacy.src.rpm
2a10d2746554520651a5b49efae58781fc6407ac  imap-devel-2002d-3.1.legacy.i386.rpm

http://www.infostrategique.com/linuxrpms/legacy/7.3/imap-2001a-10.1.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/7.3/imap-2001a-10.1.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/7.3/imap-devel-2001a-10.1.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/imap-2001a-18.1.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/imap-2001a-18.1.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/imap-devel-2001a-18.1.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/1/imap-2002d-3.1.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/1/imap-2002d-3.1.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/1/imap-devel-2002d-3.1.legacy.i386.rpm

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFCJ+PWLMAs/0C4zNoRApluAKCMS1yzd12reuQqAfKYofVuwx/TLwCdGEEr
//Vm6pOsfdw8zNwaB47NbLE=
=r0K4
-----END PGP SIGNATURE-----




------- Additional Comments From pekkas@netcore.fi 2005-03-03 21:06:48 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
QA for the rpms:
 - source integrity OK
 - spec file changes OK
 - patches verified to come from upstream
  * note that to really fix 2003-0297, we'd also need to rebuild the
    packages using c-client, e.g., pine.  But I suggest we defer that for
    now.
 
+PUBLISH RHL73,RHL9,FC1
 
65da3900c03c2cbdc6d89778d915ef7265bb0cef  imap-2001a-10.1.legacy.src.rpm
66aef67093c25d67aee7b00049acf4fa54a5c284  imap-2001a-18.1.legacy.src.rpm
c187aa10a2d8bd88e33495a3b0706cdabf7af076  imap-2002d-3.1.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
 
iD8DBQFCKAjYGHbTkzxSL7QRAv37AJ90oYrLDxVshAnthhMJuar5iKleOgCcCFMs
jeYXT9Tte2znFbEzCDWGZS8=
=ui92
-----END PGP SIGNATURE-----




------- Additional Comments From marcdeslauriers@videotron.ca 2005-03-07 17:22:19 ----

Packages pushed to updates-testing



------- Additional Comments From madhatter@teaparty.net 2005-03-08 01:25:30 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

f4998e31f0121b54e6b618007a6c1a7ff8a08182  imap-2001a-18.1.legacy.i386.rpm

installs OK, can log into IMAP with PINE (4.61), read messages, browse
folders, move messages between folders, delete and expunge messages.

+VERIFY RH9

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFCLYtcePtvKV31zw4RAqkxAJ9L7qvLZNLHlpsAwVG0b4WczR24JwCfc2+J
jdaFDzJyqEJwmur7AUtJB50=
=ZML0
-----END PGP SIGNATURE-----




------- Additional Comments From pekkas@netcore.fi 2005-03-16 11:16:20 ----

----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

QA for RHL73:
 - GPG signature OK
 - installs OK
 - Horde/IMP works OK.  First there were problems, because IMP must be
taught to accept self-signed certificates, and earlier I had disabled SSL,
so php-imap wouldn't even try to do STARTTLS.  But this was not an issue
with the packaging.

+VERIFY RHL73

3dac230d4b4ed898d1adaf3e58ce5b13e80159dc  imap-2001a-10.1.legacy.i386.rpm
766f42e2292693d1b0500dc151823d13382595c5  imap-devel-2001a-10.1.legacy.i386.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFCOKHeGHbTkzxSL7QRArqSAKCRqlpVnxMWcD0as6QGXGRAqYlYkgCgrzHq
8JLN1qRX3rBCYLhsM1x8DLI=
=LmLV
-----END PGP SIGNATURE-----



------- Bug moved to this database by dkl@redhat.com 2005-03-30 18:31 -------

This bug previously known as bug 2443 at https://bugzilla.fedora.us/
https://bugzilla.fedora.us/show_bug.cgi?id=2443
Originally filed under the Fedora Legacy product and General component.

Unknown priority P2. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
Unknown severity major. Setting to default severity "normal".
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.

Comment 1 TSUDA Fumika 2005-05-08 22:49:14 EDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I did QA the packages
rh9:
f4998e31f0121b54e6b618007a6c1a7ff8a08182
redhat/9/updates-testing/i386/imap-2001a-18.1.legacy.i386.rpm
d99cd4c0c0c83328a309c0263682dfbaa4e752ed
redhat/9/updates-testing/i386/imap-devel-2001a-18.1.legacy.i386.rpm
6f8cac716e78dfcfe307dc5b4db6c604e2f47049
redhat/9/updates-testing/SRPMS/imap-2001a-18.1.legacy.src.rpm

fc1:
69ef237bbd50fc425e00be7093d3de1ddd919de1
fedora/1/updates-testing/i386/imap-2002d-3.1.legacy.i386.rpm
028d73692c13e4182788605987d246629e24df07
fedora/1/updates-testing/i386/imap-devel-2002d-3.1.legacy.i386.rpm
732db7ca229fc939456a2db14ae65c46f2fd7586
fedora/1/updates-testing/SRPMS/imap-2002d-3.1.legacy.src.rpm

sha1sum matches
rpm signature ok
source files ok
spec file ok
patches ok (v.s. RHEL's Patch)
src rebuilds ok
rpm-build-compare script ok
installs ok
runs ok
+PUBLISH
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQFCfstLuZYb5AhVqVoRAt+6AKDNJMPvvpfdkbrVQtnt8uYeTFpq1QCghoqK
sUMJGI2ysHNYhQRTG2Wk1wg=
=DhYf
-----END PGP SIGNATURE-----
Comment 2 Pekka Savola 2005-05-09 01:16:04 EDT
Umm.. the package only lacks verify for FC1, but additional testing of course
doesn't hurt :-)
Comment 3 mschout 2005-05-10 00:53:51 EDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

FC1 Verify:

sha1
69ef237bbd50fc425e00be7093d3de1ddd919de1  imap-2002d-3.1.legacy.i386.rpm

signature:
imap-2002d-3.1.legacy.i386.rpm:
    Header V3 DSA signature: OK, key ID 731002fa
    Header SHA1 digest: OK (894ccd0f1284710cc8eb8708d717049a29982ec3)
    MD5 digest: OK (f2990fd9077abbb35cb5e391b7e6b216)
    V3 DSA signature: OK, key ID 731002fa

installed without any warnings or errors

work normally can log in, read / delete messages etc.

+VERIFY FC1
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (FreeBSD)

iD8DBQFCgD5S+CqvSzp9LOwRAgjFAJ988u/NAV3GdEPgKTnZxD8P6b2d+QCZAYdl
fd5cFrrCEaWgMaXH9ylw5tc=
=EW8L
-----END PGP SIGNATURE-----
Comment 4 Marc Deslauriers 2005-05-12 20:53:15 EDT
Released to updates

Note You need to log in before you can comment on or make changes to this bug.