Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 634
Alerts This Week
Warning Icon 1 634

Red Hat Enterprise Linux 8: RHSA-2020-4655 Security Update for cyrus-imapd

red hat
Calendar Grey November 3, 2020
Dist Redhat Esm H88
An update aimed at enhancing security for cyrus-imapd in Red Hat Linux 8 tackles several moderate concerns, particularly those related to potential privilege escalation vulnerabilities.
An update for cyrus-imapd is now available for Red Hat Enterprise Linux 8

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Summary

The cyrus-imapd packages contain a high-performance mail server with IMAP, POP3, NNTP, and SIEVE support.
Security Fix(es):
* cyrus-imapd: privilege escalation in HTTP request (CVE-2019-18928)
* cyrus-imapd: lmtpd component created mailboxes with administrator privileges if the "fileinto" was used, bypassing ACL checks (CVE-2019-19783)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.3 Release Notes linked from the References section.

References

https://access.redhat.com/security/cve/CVE-2019-18928 https://access.redhat.com/security/cve/CVE-2019-19783 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.3_release_notes/

Package List

Red Hat Enterprise Linux AppStream (v. 8):
Source: cyrus-imapd-3.0.7-19.el8.src.rpm
aarch64: cyrus-imapd-3.0.7-19.el8.aarch64.rpm cyrus-imapd-debuginfo-3.0.7-19.el8.aarch64.rpm cyrus-imapd-debugsource-3.0.7-19.el8.aarch64.rpm cyrus-imapd-utils-3.0.7-19.el8.aarch64.rpm cyrus-imapd-utils-debuginfo-3.0.7-19.el8.aarch64.rpm cyrus-imapd-vzic-3.0.7-19.el8.aarch64.rpm cyrus-imapd-vzic-debuginfo-3.0.7-19.el8.aarch64.rpm
ppc64le: cyrus-imapd-3.0.7-19.el8.ppc64le.rpm cyrus-imapd-debuginfo-3.0.7-19.el8.ppc64le.rpm cyrus-imapd-debugsource-3.0.7-19.el8.ppc64le.rpm cyrus-imapd-utils-3.0.7-19.el8.ppc64le.rpm cyrus-imapd-utils-debuginfo-3.0.7-19.el8.ppc64le.rpm cyrus-imapd-vzic-3.0.7-19.el8.ppc64le.rpm cyrus-imapd-vzic-debuginfo-3.0.7-19.el8.ppc64le.rpm
s390x: cyrus-imapd-3.0.7-19.el8.s390x.rpm cyrus-imapd-debuginfo-3.0.7-19.el8.s390x.rpm cyrus-imapd-debugsource-3.0.7-19.el8.s390x.rpm cyrus-imapd-utils-3.0.7-19.el8.s390x.rpm cyrus-imapd-utils-debuginfo-3.0.7-19.el8.s390x.rpm cyrus-imapd-vzic-3.0.7-19.el8.s390x.rpm cyrus-imapd-vzic-debuginfo-3.0.7-19.el8.s390x.rpm
x86_64: cyrus-imapd-3.0.7-19.el8.i686.rpm cyrus-imapd-3.0.7-19.el8.x86_64.rpm cyrus-imapd-debuginfo-3.0.7-19.el8.i686.rpm cyrus-imapd-debuginfo-3.0.7-19.el8.x86_64.rpm cyrus-imapd-debugsource-3.0.7-19.el8.i686.rpm

Read the Full Advisory


Advisory ID: RHSA-2020:4655-01
Product: Red Hat Enterprise Linux
Issue date: 2020-11-03

Topic

An update for cyrus-imapd is now available for Red Hat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impactof Moderate. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.

Relevant Releases Architectures

Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64

Bugs Fixed

1671239 - Changelog was removed, reverting the commit is required

1710722 - cyrus-imapd-key.pem has wrong permissions

1775177 - CVE-2019-18928 cyrus-imapd: privilege escalation in HTTP request

1786756 - CVE-2019-19783 cyrus-imapd: lmtpd component created mailboxes with administrator privileges if the "fileinto" was used, bypassing ACL checks

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.