Bug 719998 - (CVE-2011-3372) VUL-0: CVE-2011-3372: cyrus-imapd: Cyrus IMAPd nntpd authentication bypass
(CVE-2011-3372)
VUL-0: CVE-2011-3372: cyrus-imapd: Cyrus IMAPd nntpd authentication bypass
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: General
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
maint:released:11.3:43538 maint:relea...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2011-09-23 07:23 UTC by Ludwig Nussel
Modified: 2015-09-16 12:32 UTC (History)
3 users (show)

See Also:
Found By: Other
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
nntp-auth-vuln-2.3.patch (7.82 KB, patch)
2011-09-23 07:25 UTC, Ludwig Nussel
Details | Diff
nntp-auth-vuln-2.4.patch (8.14 KB, patch)
2011-09-23 07:25 UTC, Ludwig Nussel
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Ludwig Nussel 2011-09-23 07:23:27 UTC
Your friendly security team received the following report via vendor-sec.
Please respond ASAP.
This issue is not public yet, please keep any information about it inside SUSE.
Note that build.opensuse.org *cannot* be used to prepare embargoed updates.

Malicious NNTP clients could bypass the authentication and execute commands that normally require authentication.
Comment 2 Ludwig Nussel 2011-09-23 07:25:01 UTC
Created attachment 452695 [details]
nntp-auth-vuln-2.3.patch
Comment 4 Ludwig Nussel 2011-09-23 07:25:38 UTC
Created attachment 452697 [details]
nntp-auth-vuln-2.4.patch
Comment 6 Ludwig Nussel 2011-09-26 07:36:57 UTC
CVE-2011-3372
Comment 7 Ralf Haferkamp 2011-10-04 13:49:25 UTC
Patch submitted to SLE-11-SP1, SLE-10-SP3, SLE-10-SP4 and SLES9-SP3

openSUSE packages will be submitted when bug is public.
Comment 8 Ralf Haferkamp 2011-10-05 07:18:17 UTC
Submitted to 11.3, 11.4 and Factory
Comment 9 Bernhard Wiedemann 2011-10-05 08:00:10 UTC
This is an autogenerated message for OBS integration:
This bug (719998) was mentioned in
https://build.opensuse.org/request/show/86620 11.4 / cyrus-imapd
https://build.opensuse.org/request/show/86621 11.3 / cyrus-imapd
https://build.opensuse.org/request/show/86622 Factory / cyrus-imapd
Comment 10 Swamp Workflow Management 2011-10-05 12:52:25 UTC
The SWAMPID for this issue is 43536.
This issue was rated as moderate.
Please submit fixed packages until 2011-10-19.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 11 Swamp Workflow Management 2011-10-24 08:29:51 UTC
Update released for: cyrus-imapd, cyrus-imapd-debuginfo, cyrus-imapd-debugsource, cyrus-imapd-devel, perl-Cyrus-IMAP, perl-Cyrus-IMAP-debuginfo, perl-Cyrus-SIEVE-managesieve, perl-Cyrus-SIEVE-managesieve-debuginfo
Products:
openSUSE 11.3 (debug, i586, x86_64)
openSUSE 11.4 (debug, i586, x86_64)
Comment 12 Sebastian Krahmer 2011-10-24 08:30:52 UTC
done
Comment 13 Swamp Workflow Management 2011-10-24 11:11:16 UTC
Update released for: cyrus-imapd, cyrus-imapd-debuginfo, cyrus-imapd-debugsource, cyrus-imapd-devel, perl-Cyrus-IMAP, perl-Cyrus-SIEVE-managesieve
Products:
SLE-DEBUGINFO 11-SP1 (i386, ia64, ppc64, s390x, x86_64)
SLE-SDK 11-SP1 (i386, ia64, ppc64, s390x, x86_64)
SLE-SERVER 11-SP1 (i386, ia64, ppc64, s390x, x86_64)
SLE-SERVER 11-SP1-TERADATA (x86_64)
SLES4VMWARE 11-SP1 (i386, x86_64)
Comment 14 Swamp Workflow Management 2011-10-24 11:49:55 UTC
Update released for: cyrus-imapd, cyrus-imapd-debuginfo, cyrus-imapd-devel, perl-Cyrus-IMAP, perl-Cyrus-SIEVE-managesieve
Products:
SLE-DEBUGINFO 10-SP3 (i386, ia64, ppc, s390x, x86_64)
SLE-SAP-APL 10-SP3 (x86_64)
SLE-SDK 10-SP3 (i386, ia64, ppc, s390x, x86_64)
SLE-SERVER 10-SP3 (i386, ia64, ppc, s390x, x86_64)
SLE-SERVER 10-SP3-TERADATA (x86_64)
Comment 15 Swamp Workflow Management 2011-10-24 12:48:49 UTC
Update released for: cyrus-imapd, cyrus-imapd-debuginfo, cyrus-imapd-devel, perl-Cyrus-IMAP, perl-Cyrus-SIEVE-managesieve
Products:
SLE-DEBUGINFO 10-SP4 (i386, ia64, ppc, s390x, x86_64)
SLE-SDK 10-SP4 (i386, ia64, ppc, s390x, x86_64)
SLE-SERVER 10-SP4 (i386, ia64, ppc, s390x, x86_64)
Comment 16 Swamp Workflow Management 2011-10-24 16:10:25 UTC
Update released for: cyrus-imapd, cyrus-imapd-devel, perl-Cyrus-IMAP, perl-Cyrus-SIEVE-managesieve
Products:
SUSE-CORE 9-SP3-TERADATA (x86_64)
Comment 17 Bernhard Wiedemann 2011-11-05 08:00:16 UTC
This is an autogenerated message for OBS integration:
This bug (719998) was mentioned in
https://build.opensuse.org/request/show/90145 Evergreen:11.1 / cyrus-imapd