[Security] Fedora Core 3 Update: cyrus-imapd-2.2.12-1.1.fc3

John Dennis jdennis at redhat.com
Wed Apr 27 19:10:53 UTC 2005

Fedora Update Notification

Product     : Fedora Core 3
Name        : cyrus-imapd
Version     : 2.2.12                      
Release     : 1.1.fc3                  
Summary     : A high-performance mail server with IMAP, POP3, NNTP and SIEVE support.
Description :
The cyrus-imapd package contains the core of the Cyrus IMAP server.
It is a scaleable enterprise mail system designed for use from
small to large enterprise environments using standards-based
internet mail technologies.

A full Cyrus IMAP implementation allows a seamless mail and bulletin
board environment to be set up across multiple servers. It differs from
other IMAP server implementations in that it is run on "sealed"
servers, where users are not normally permitted to log in. The mailbox
database is stored in parts of the filesystem that are private to the
Cyrus IMAP server. All user access to mail is through software using
the IMAP, POP3, or KPOP protocols. TLSv1 and SSL are supported for

Update Information:

Several buffer overflow bugs were found in cyrus-imapd. It is possible that
an authenticated malicious user could cause the imap server to crash.
Additionally, a peer news admin could potentially execute arbitrary code on
the imap server when news is received using the fetchnews command. The
Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned
the name CAN-2005-0546 to this issue.

In addition this version of the rpm contains a collection of other
fixes since the last FC3 update (see below changelog).

>>>>>>>>>>>> IMPORTANT NOTE FOR X86_64 INSTALLATION <<<<<<<<<<<<

This rpm also fixes bug #156121 that incorrectly placed some
executables /usr/lib64/cyrus-imapd. /usr/lib64 is reserved for 64 bit
libraries and this caused problems for existing scripts that expected
to find them in a canonical location (/usr/lib/cyrus-imapd) and
violated the multilib packaging guidelines. Only references external to
the cyrus-imapd package are affected by this, the rpm is self
consistent. The most notable example is /usr/lib64/cyrus-impad/deliver
which is now /usr/lib/cyrus-imapd/deliver (use of lmtp is encouraged
in preference to deliver). This change only affects x86_64

* Mon Apr  4 2005 John Dennis <jdennis at redhat.com> - 2.2.12-1.1.fc3

- bring up to 2.2.12, fixes security CAN-2005-0546

* Mon Feb 14 2005 Simon Matter <simon.matter at invoca.ch>

- updated to 2.2.12
- updated autocreate and autosievefolder patches

* Sat Feb  5 2005 Simon Matter <simon.matter at invoca.ch>

- updated autosievefolder patch

* Tue Feb  1 2005 Simon Matter <simon.matter at invoca.ch>

- remove special ownership and permissions from deliver
- enable deliver-wrapper per default
- enable OutlookExpress seenstate patch per default

* Wed Jan 19 2005 Simon Matter <simon.matter at invoca.ch>

- updated autocreate patch

* Fri Jan 14 2005 Simon Matter <simon.matter at invoca.ch>

- spec file cleanup

* Tue Jan 11 2005 Simon Matter <simon.matter at invoca.ch>

- updated autocreate patch

* Fri Jan  7 2005 Simon Matter <simon.matter at invoca.ch>

- moved contrib dir into doc, made scripts not executable

* Thu Jan  6 2005 Simon Matter <simon.matter at invoca.ch>

- added more fixes to the autocreate patch
- don't use /usr/lib for /usr/lib/cyrus-imapd, it's a mess on x86_64
- don't use /usr/lib for symlinks
- remove /usr/lib pachtes
- change pam configs to work on x86_64
- changed default build option for IDLED to on
- changed rpm_set_permissions to honor partitions in /etc/imapd.conf

* Tue Jan  4 2005 Simon Matter <simon.matter at invoca.ch>

- updated autocreate patch

* Mon Dec 20 2004 Simon Matter <simon.matter at invoca.ch>

- remove idled docs when disabled, fixes RedHat's bug #142345

* Fri Dec 17 2004 Simon Matter <simon.matter at invoca.ch>

- removed allnumeric patch, not needed anymore
- made groupcache a compile time option
- rename nntp's pam service, fixes RedHat's bug #142672

* Thu Dec 16 2004 Simon Matter <simon.matter at invoca.ch>

- updated groupcache patch
- updated cvt_cyrusdb_all to use runuser instead of su if available
- added upd_groupcache tool

* Wed Dec 15 2004 Simon Matter <simon.matter at invoca.ch>

- added groupfile patch to help those using nss_ldap

This update can be downloaded from:

36cea34d82e4e8f127b0acd6aef20522  SRPMS/cyrus-imapd-2.2.12-1.1.fc3.src.rpm
7d86ca50692b8fb8174a9ba77577516b  x86_64/cyrus-imapd-2.2.12-1.1.fc3.x86_64.rpm
3fac6beb580449fa88cf30ebd2cc00b1  x86_64/cyrus-imapd-murder-2.2.12-1.1.fc3.x86_64.rpm
d6ae4bc28394cff12991ef41026560e4  x86_64/cyrus-imapd-nntp-2.2.12-1.1.fc3.x86_64.rpm
52f96c3c5dd2751fa345c98f26ae85ce  x86_64/cyrus-imapd-devel-2.2.12-1.1.fc3.x86_64.rpm
17b55f1ed6883ac2c2e984b68d3110b6  x86_64/perl-Cyrus-2.2.12-1.1.fc3.x86_64.rpm
2ed2914ab0ec3291496374364c84833a  x86_64/cyrus-imapd-utils-2.2.12-1.1.fc3.x86_64.rpm
71c9bd8df0da6beb33c7593285575b34  i386/cyrus-imapd-2.2.12-1.1.fc3.i386.rpm
99c59a28fd8ddf609788df73c67fd331  i386/cyrus-imapd-murder-2.2.12-1.1.fc3.i386.rpm
90bd0b98c63d2c9ec44b3c66933c613a  i386/cyrus-imapd-nntp-2.2.12-1.1.fc3.i386.rpm
5e4a129f7e77f7840ac92d6fe481f18f  i386/cyrus-imapd-devel-2.2.12-1.1.fc3.i386.rpm
5c097ebe78767a241b4617e8e945b95b  i386/perl-Cyrus-2.2.12-1.1.fc3.i386.rpm
8eebd0cb12bf4ab005830782205afc1a  i386/cyrus-imapd-utils-2.2.12-1.1.fc3.i386.rpm

This update can also be installed with the Update Agent; you can
launch the Update Agent with the 'up2date' command.  

John Dennis <jdennis at redhat.com>

More information about the announce mailing list