Buffer Overflows Patched in Cyrus Mail Server

Carnegie Mellon rolls out a new version of its Cyrus IMAP Server project to plug a series of code execution flaws.

The Carnegie Mellon University has released a new version of its widely deployed Cyrus IMAP Server to fix a series of potentially dangerous code execution vulnerabilities.

The flaws affect Cyrus IMAP Server 2.2.10 and prior and carry a "moderately critical" rating from independent security research company Secunia.

Users are strongly urged to upgrade to Cyrus IMAP Server 2.2.11 to avoid buffer overflow conditions.

According to the Secunia advisory, an off-by-one boundary error was detected in the in the mailbox-handling feature that could be exploited by malicious, authenticated users to cause a buffer overflow.

Another flaw in the "imapd" annotate extension could also lead to the execution of arbitrary code. The new version of Cyrus IMAP Server also patches unspecified boundary errors in "fetchnews," "backend," and "imapd," which can all cause stack-based buffer overflows.

The Cyrus IMAP Server is a key part of Carnegie Mellons Cyrus Electronic Mail Project, which provides scalable mail systems for both small and large enterprises.

Cyrus IMAP Server provides access to personal mail and system-wide bulletin boards through the standards-based IMAP. A full Cyrus IMAP implementation allows a seamless mail and bulletin-board environment to be set up across multiple servers.


Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.