Jump to content
Compatible Support Forums
Sign in to follow this  
news

[security-announce] SUSE-SU-2016:1457-1: important: Security update for cyrus-imapd

Recommended Posts

SUSE Security Update: Security update for cyrus-imapd

______________________________________________________________________________

 

Announcement ID: SUSE-SU-2016:1457-1

Rating: important

References: #860611 #901748 #954200 #954201 #981670

Cross-References: CVE-2014-3566 CVE-2015-8076 CVE-2015-8077

CVE-2015-8078

Affected Products:

SUSE Linux Enterprise Server 12-SP1

SUSE Linux Enterprise Server 12

______________________________________________________________________________

 

An update that solves four vulnerabilities and has one

errata is now available.

 

Description:

 

 

- Previous versions of cyrus-imapd would not allow its users to disable

old protocols like SSLv1 and SSLv2 that are unsafe due to various known

attacks like BEAST and POODLE.

https://bugzilla.cyrusimap.org/show_bug.cgi?id=3867 remedies this issue

by adding the configuration option 'tls_versions' to the imapd.conf

file. Note that users who upgrade existing installation of this package

will *not* have their imapd.conf file overwritten, i.e. their IMAP

server will continue to support SSLv1 and SSLv2 like before. To disable

support for those protocols, it's necessary to edit imapd.conf manually

to state "tls_versions: tls1_0 tls1_1 tls1_2". New installations,

however, will have an imapd.conf file that contains these settings

already, i.e. newly installed IMAP servers do *not* support SSLv1 and

SSLv2 unless that support is explicitly enabled by the user. (bsc#901748)

 

- An integer overflow vulnerability in cyrus-imapd's urlfetch range

checking code was fixed. (CVE-2015-8076, CVE-2015-8077, CVE-2015-8078,

bsc#981670, bsc#954200, bsc#954201)

 

- Support for Elliptic Curve Diffie–Hellman (ECDH) has been added to

cyrus-imapd. (bsc#860611)

 

 

Patch Instructions:

 

To install this SUSE Security Update use YaST online_update.

Alternatively you can run the command listed for your product:

 

- SUSE Linux Enterprise Server 12-SP1:

 

zypper in -t patch SUSE-SLE-SERVER-12-SP1-2016-864=1

 

- SUSE Linux Enterprise Server 12:

 

zypper in -t patch SUSE-SLE-SERVER-12-2016-864=1

 

To bring your system up-to-date, use "zypper patch".

 

 

Package List:

 

- SUSE Linux Enterprise Server 12-SP1 (ppc64le s390x x86_64):

 

cyrus-imapd-debuginfo-2.3.18-37.1

cyrus-imapd-debugsource-2.3.18-37.1

perl-Cyrus-IMAP-2.3.18-37.1

perl-Cyrus-IMAP-debuginfo-2.3.18-37.1

perl-Cyrus-SIEVE-managesieve-2.3.18-37.1

perl-Cyrus-SIEVE-managesieve-debuginfo-2.3.18-37.1

 

- SUSE Linux Enterprise Server 12 (ppc64le s390x x86_64):

 

cyrus-imapd-debuginfo-2.3.18-37.1

cyrus-imapd-debugsource-2.3.18-37.1

perl-Cyrus-IMAP-2.3.18-37.1

perl-Cyrus-IMAP-debuginfo-2.3.18-37.1

perl-Cyrus-SIEVE-managesieve-2.3.18-37.1

perl-Cyrus-SIEVE-managesieve-debuginfo-2.3.18-37.1

 

 

References:

 

https://www.suse.com/security/cve/CVE-2014-3566.html

https://www.suse.com/security/cve/CVE-2015-8076.html

https://www.suse.com/security/cve/CVE-2015-8077.html

https://www.suse.com/security/cve/CVE-2015-8078.html

https://bugzilla.suse.com/860611

https://bugzilla.suse.com/901748

https://bugzilla.suse.com/954200

https://bugzilla.suse.com/954201

https://bugzilla.suse.com/981670

 

--

To unsubscribe, e-mail: opensuse-security-announce+unsubscribe ( -at -) opensuse.org

For additional commands, e-mail: opensuse-security-announce+help ( -at -) opensuse.org

 

 

 

Share this post


Link to post

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
Sign in to follow this  

×