ESB-2017.2289 - [Win][Linux][FreeBSD] cyrus-imapd: Access confidential data - Existing account 2017-09-11

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2017.2289
               cyrus-imapd -- broken "other users" behaviour
                             11 September 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           cyrus-imapd
Publisher:         FreeBSD
Operating System:  FreeBSD
                   Linux variants
                   Windows
Impact/Access:     Access Confidential Data -- Existing Account
                   Denial of Service        -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-14230  

Original Bulletin: 
   http://www.vuxml.org/freebsd/f9f76a50-9642-11e7-ab09-080027b00c2e.html

Comment: This advisory references vulnerabilities in products which run on 
         platforms other than FreeBSD. It is recommended that administrators
         running cyrus-imapd check for an updated version of the software for
         their operating system.

- --------------------------BEGIN INCLUDED TEXT--------------------

cyrus-imapd -- broken "other users" behaviour

Affected packages
3.0.0	<=	cyrus-imapd30	<	3.0.4
Details

VuXML ID	f9f76a50-9642-11e7-ab09-080027b00c2e
Discovery	2017-09-07
Entry	2017-09-10
Cyrus IMAP 3.0.4 Release Notes states:

Fixed Issue #2132: Broken "Other Users" behaviour

References

CVE Name	CVE-2017-14230
URL	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14230

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWbYLKIx+lLeg9Ub1AQhm8g/+NadEG2iEJmVmM0tOCLPPqiMwMLN/9Jvp
sCP9oljrKEx6Jvpx5D9MffMFYaGWnKSUxigg7hot8bYVr1bw7PCosvawRU2wgEdY
ojuxxJXysGwk8gm8E+ZRVmaC6JiQ/3E5OQTv66X+OBg5qQsMOxadG5JrTGL1toE7
s22w3n8HRvtaaihSy4LfgIOJpBDYCcVI3bOmDilhbpCJMVqh+Jz52ZvXY/5J5r0k
MPjzksCRkyqN1XQucxgrrSaXI4qegmVzrtQbsx8q5FHOoqX0qBQ+IZAWYyiAEH0y
KwAAzdg22WDII8WC7hYIzIGsvvv6uam+MKs34vfkN+O4r7ZK74QGMOGgVaa8KwyP
ynkdBzWN11NKi5qHmWSGRuyqR5Czei6eYzRPOZHEVneom94mlb9WL5yFDyKi9d1m
uRJxPrlK7ImrHYVCMGVAa6Z7K2PuXUza+QcWSbIvDXp+QNaaoq3DWeQeb84e5q53
J7RNFECTyrlCsTcudZdJAq1h83JpbRtXwS0sCEHLkA9hH4DLa/Hx6LC0qrc+bXcB
yWCyxEM0bNkg1kfcldSa8XGAor6Mtl49oZ7k0DBix9a60D8YUREzpDtwc1NbCXKj
2q9lic1KhKnXcBdHMFB+/WHQ1Hsg+I6c7/Rt3JxTYcCCx8ITvTUB+v4DrVCxl1ps
rBeOerTIMM4=
=G49h
-----END PGP SIGNATURE-----

« Back to bulletins