Fedora 11: FEDORA-2009-9901 Moderate: cyrus-imapd Buffer Overflow

The cyrus-imapd package contains the core of the Cyrus IMAP server.

It is a scaleable enterprise mail system designed for use from

small to large enterprise environments using standards-based

internet mail technologies.

A full Cyrus IMAP implementation allows a seamless mail and bulletin

board environment to be set up across multiple servers. It differs from

other IMAP server implementations in that it is run on "sealed"

servers, where users are not normally permitted to log in and have no

system account on the server. The mailbox database is stored in parts

of the filesystem that are private to the Cyrus IMAP server. All user

access to mail is through software using the IMAP, POP3 or KPOP

protocols. It also includes support for virtual domains, NNTP,

mailbox annotations, and much more. The private mailbox database design

gives the server large advantages in efficiency, scalability and

administratability. Multiple concurrent read/write connections to the

same mailbox are permitted. The server supports access control lists on

mailboxes and storage quotas on mailbox hierarchies.

The Cyrus IMAP server supports the IMAP4rev1 protocol described

in RFC 3501. IMAP4rev1 has been approved as a proposed standard.

It supports any authentication mechanism available from the SASL

library, imaps/pop3s/nntps (IMAP/POP3/NNTP encrypted using SSL and

TLSv1) can be used for security. The server supports single instance

store where possible when an email message is addressed to multiple

recipients, SIEVE provides server side email filtering.

Fixed multiple stack-based buffer overflows in libsieve, which allowed context- dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted SIEVE script.