Bug 719998 (CVE-2011-3372) - VUL-0: CVE-2011-3372: cyrus-imapd: Cyrus IMAPd nntpd authentication bypass
Summary: VUL-0: CVE-2011-3372: cyrus-imapd: Cyrus IMAPd nntpd authentication bypass
Status: RESOLVED FIXED
Alias: CVE-2011-3372
Product: SUSE Security Incidents
Classification: Novell Products
Component: General (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Deadline: 2011-10-19
Assignee: Security Team bot
QA Contact: Security Team bot
URL:
Whiteboard: maint:released:11.3:43538 maint:relea...
Keywords:
Depends on:
Blocks:
 
Reported: 2011-09-23 07:23 UTC by Ludwig Nussel
Modified: 2015-09-16 12:32 UTC (History)
3 users (show)

See Also:
Found By: Other
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
nntp-auth-vuln-2.3.patch (7.82 KB, patch)
2011-09-23 07:25 UTC, Ludwig Nussel 		Details | Diff
nntp-auth-vuln-2.4.patch (8.14 KB, patch)
2011-09-23 07:25 UTC, Ludwig Nussel 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Ludwig Nussel 2011-09-23 07:23:27 UTC 
Your friendly security team received the following report via vendor-sec.
Please respond ASAP.
This issue is not public yet, please keep any information about it inside SUSE.
Note that build.opensuse.org *cannot* be used to prepare embargoed updates.

Malicious NNTP clients could bypass the authentication and execute commands that normally require authentication.
Comment 2 Ludwig Nussel 2011-09-23 07:25:01 UTC 
Created attachment 452695 [details]
nntp-auth-vuln-2.3.patch
Comment 4 Ludwig Nussel 2011-09-23 07:25:38 UTC 
Created attachment 452697 [details]
nntp-auth-vuln-2.4.patch
Comment 6 Ludwig Nussel 2011-09-26 07:36:57 UTC 
CVE-2011-3372
Comment 7 Ralf Haferkamp 2011-10-04 13:49:25 UTC 
Patch submitted to SLE-11-SP1, SLE-10-SP3, SLE-10-SP4 and SLES9-SP3

openSUSE packages will be submitted when bug is public.
Comment 8 Ralf Haferkamp 2011-10-05 07:18:17 UTC 
Submitted to 11.3, 11.4 and Factory
Comment 9 Bernhard Wiedemann 2011-10-05 08:00:10 UTC 
This is an autogenerated message for OBS integration:
This bug (719998) was mentioned in
https://build.opensuse.org/request/show/86620 11.4 / cyrus-imapd
https://build.opensuse.org/request/show/86621 11.3 / cyrus-imapd
https://build.opensuse.org/request/show/86622 Factory / cyrus-imapd
Comment 10 Swamp Workflow Management 2011-10-05 12:52:25 UTC 
The SWAMPID for this issue is 43536.
This issue was rated as moderate.
Please submit fixed packages until 2011-10-19.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 11 Swamp Workflow Management 2011-10-24 08:29:51 UTC 
Update released for: cyrus-imapd, cyrus-imapd-debuginfo, cyrus-imapd-debugsource, cyrus-imapd-devel, perl-Cyrus-IMAP, perl-Cyrus-IMAP-debuginfo, perl-Cyrus-SIEVE-managesieve, perl-Cyrus-SIEVE-managesieve-debuginfo
Products:
openSUSE 11.3 (debug, i586, x86_64)
openSUSE 11.4 (debug, i586, x86_64)
Comment 12 Sebastian Krahmer 2011-10-24 08:30:52 UTC 
done
Comment 13 Swamp Workflow Management 2011-10-24 11:11:16 UTC 
Update released for: cyrus-imapd, cyrus-imapd-debuginfo, cyrus-imapd-debugsource, cyrus-imapd-devel, perl-Cyrus-IMAP, perl-Cyrus-SIEVE-managesieve
Products:
SLE-DEBUGINFO 11-SP1 (i386, ia64, ppc64, s390x, x86_64)
SLE-SDK 11-SP1 (i386, ia64, ppc64, s390x, x86_64)
SLE-SERVER 11-SP1 (i386, ia64, ppc64, s390x, x86_64)
SLE-SERVER 11-SP1-TERADATA (x86_64)
SLES4VMWARE 11-SP1 (i386, x86_64)
Comment 14 Swamp Workflow Management 2011-10-24 11:49:55 UTC 
Update released for: cyrus-imapd, cyrus-imapd-debuginfo, cyrus-imapd-devel, perl-Cyrus-IMAP, perl-Cyrus-SIEVE-managesieve
Products:
SLE-DEBUGINFO 10-SP3 (i386, ia64, ppc, s390x, x86_64)
SLE-SAP-APL 10-SP3 (x86_64)
SLE-SDK 10-SP3 (i386, ia64, ppc, s390x, x86_64)
SLE-SERVER 10-SP3 (i386, ia64, ppc, s390x, x86_64)
SLE-SERVER 10-SP3-TERADATA (x86_64)
Comment 15 Swamp Workflow Management 2011-10-24 12:48:49 UTC 
Update released for: cyrus-imapd, cyrus-imapd-debuginfo, cyrus-imapd-devel, perl-Cyrus-IMAP, perl-Cyrus-SIEVE-managesieve
Products:
SLE-DEBUGINFO 10-SP4 (i386, ia64, ppc, s390x, x86_64)
SLE-SDK 10-SP4 (i386, ia64, ppc, s390x, x86_64)
SLE-SERVER 10-SP4 (i386, ia64, ppc, s390x, x86_64)
Comment 16 Swamp Workflow Management 2011-10-24 16:10:25 UTC 
Update released for: cyrus-imapd, cyrus-imapd-devel, perl-Cyrus-IMAP, perl-Cyrus-SIEVE-managesieve
Products:
SUSE-CORE 9-SP3-TERADATA (x86_64)
Comment 17 Bernhard Wiedemann 2011-11-05 08:00:16 UTC 
This is an autogenerated message for OBS integration:
This bug (719998) was mentioned in
https://build.opensuse.org/request/show/90145 Evergreen:11.1 / cyrus-imapd