CVE-2011-1926

Related Files

Debian Security Advisory 2258-1

Posted Jun 13, 2011

Authored by Debian | Site debian.org

Debian Linux Security Advisory 2258-1 - It was discovered that the STARTTLS implementation of the Kolab Cyrus IMAP server does not properly restrict I/O buffering, which allows man-in-the-middle attackers to insert commands into encrypted IMAP, LMTP, NNTP and POP3 sessions by sending a cleartext command that is processed after TLS is in place. Please note that the advisory number listed in this advisory incorrectly calls it 2257-1, but it is 2258-1.

tags | advisory, imap

systems | linux, debian

advisories | CVE-2011-1926

SHA-256 | 60c5310993e97c19c5cdcdcf134c44109b643441cbeea79d62de1831cea396a1

Download | Favorite | View

Red Hat Security Advisory 2011-0859

Posted Jun 9, 2011

Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2011-0859 - The cyrus-imapd packages contain a high-performance mail server with IMAP, POP3, NNTP, and Sieve support. It was discovered that cyrus-imapd did not flush the received commands buffer after switching to TLS encryption for IMAP, LMTP, NNTP, and POP3 sessions. A man-in-the-middle attacker could use this flaw to inject protocol commands into a victim's TLS session initialization messages. This could lead to those commands being processed by cyrus-imapd, potentially allowing the attacker to steal the victim's mail or authentication credentials. Various other issues were also addressed.

tags | advisory, imap, protocol

systems | linux, redhat

advisories | CVE-2011-1926

SHA-256 | fbb933d7dd8db52517f73e6b2c79ea7e31a4f26aac03bbafbaa902ec4db8b03e

Download | Favorite | View

Debian Security Advisory 2242-1

Posted May 26, 2011

Authored by Debian | Site debian.org

Debian Linux Security Advisory 2242-1 - It was discovered that the STARTTLS implementation of the Cyrus IMAP server does not properly restrict I/O buffering, which allows man-in-the-middle attackers to insert commands into encrypted IMAP, LMTP, NNTP and POP3 sessions by sending a cleartext command that is processed after TLS is in place.

tags | advisory, imap

systems | linux, debian

advisories | CVE-2011-1926

SHA-256 | f37324dcc067286882e574ec8915f95149ac06b8464188d28a9c6684f2be52e4

Download | Favorite | View

Mandriva Linux Security Advisory 2011-100

Posted May 25, 2011

Authored by Mandriva | Site mandriva.com

Mandriva Linux Security Advisory 2011-100 - The STARTTLS implementation in Cyrus IMAP Server before 2.4.7 does not properly restrict I/O buffering, which allows man-in-the-middle attackers to insert commands into encrypted sessions by sending a cleartext command that is processed after TLS is in place, related to a plaintext command injection attack, a similar issue to CVE-2011-0411.

tags | advisory, imap

systems | linux, mandriva

advisories | CVE-2011-1926

SHA-256 | dcd2c353c81c889d6b3ed40ee816336b07c372c37a756dfb0601d4a306195143

Download | Favorite | View