-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[slackware-security]  imapd (SSA:2005-310-06)

New imapd packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1,
10.2, and -current to fix (an alleged) security issue.  See the details
below for more information.  Also, new Pine packages are provided since
these are built together...  why not?  Might as well upgrade that too,
while I'm fixing the fake security problem.  :-)


Here are the details from the Slackware 10.2 ChangeLog:
+--------------------------+
patches/packages/imapd-4.64-i486-1.tgz:  Upgraded to imapd-4.64.
  A buffer overflow was reported in the mail_valid_net_parse_work function.
  However, this function in the c-client library does not appear to be called
  from anywhere in imapd.  iDefense states that the issue is of LOW risk to
  sites that allow users shell access, and LOW-MODERATE risk to other servers.
  I believe it's possible that it is of NIL risk if the function is indeed
  dead code to imapd, but draw your own conclusions...
  (* Security fix *)
+--------------------------+


Where to find the new packages:
+-----------------------------+

Updated packages for Slackware 8.1:
ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/
ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/

Updated packages for Slackware 9.0:
ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/
ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/

Updated packages for Slackware 9.1:
ftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/
ftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/

Updated packages for Slackware 10.0:
ftp://ftp.slackware.com/pub/slackware/slackware-10.0/patches/packages/
ftp://ftp.slackware.com/pub/slackware/slackware-10.0/patches/packages/

Updated packages for Slackware 10.1:
ftp://ftp.slackware.com/pub/slackware/slackware-10.1/patches/packages/
ftp://ftp.slackware.com/pub/slackware/slackware-10.1/patches/packages/

Updated packages for Slackware 10.2:
ftp://ftp.slackware.com/pub/slackware/slackware-10.2/patches/packages/
ftp://ftp.slackware.com/pub/slackware/slackware-10.2/patches/packages/

Updated packages for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/


MD5 signatures:
+-------------+

Slackware 8.1 packages:
78d3d037b97f17c111072c5d4c38e9f2  imapd-4.64-i386-1.tgz
1c85ca280ccc67126bc6dc1dca975627  pine-4.64-i386-1.tgz

Slackware 9.0 packages:
b7441e48990c943a407e624297462bcf  imapd-4.64-i386-1.tgz
511f23cdfad804091c2cd19535049921  pine-4.64-i386-1.tgz

Slackware 9.1 packages:
7a2ad708d914c8b5a87bdeefa008c85b  imapd-4.64-i486-1.tgz
2b9d497ab55f4d3ffaf5f9e14a4d8b7b  pine-4.64-i486-1.tgz

Slackware 10.0 packages:
87c82d442781a04cf0f9fd5e49e22732  imapd-4.64-i486-1.tgz
d311d9f79910d828511e5509de6215f2  pine-4.64-i486-1.tgz

Slackware 10.1 packages:
445d1414e92aaf236d277f09cff074ea  imapd-4.64-i486-1.tgz
ed694c28eae7fb967a510b8c71137ceb  pine-4.64-i486-1.tgz

Slackware 10.2 packages:
1e74b74199a891851347f05f77585c35  imapd-4.64-i486-1.tgz
874997ce55e5700854fcdd4b5c8cbe8d  pine-4.64-i486-1.tgz

Slackware -current packages:
874997ce55e5700854fcdd4b5c8cbe8d  pine-4.64-i486-1.tgz
1e74b74199a891851347f05f77585c35  imapd-4.64-i486-1.tgz


Installation instructions:
+------------------------+

Upgrade the packages as root:
# upgradepkg pine-4.64-i486-1.tgz imapd-4.64-i486-1.tgz


+-----+

Slackware: 2005-310-06: imapd Security Update

November 6, 2005
New imapd packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, 10.2, and -current to fix (an alleged) security issue

Summary

Here are the details from the Slackware 10.2 ChangeLog: patches/packages/imapd-4.64-i486-1.tgz: Upgraded to imapd-4.64. A buffer overflow was reported in the mail_valid_net_parse_work function. However, this function in the c-client library does not appear to be called from anywhere in imapd. iDefense states that the issue is of LOW risk to sites that allow users shell access, and LOW-MODERATE risk to other servers. I believe it's possible that it is of NIL risk if the function is indeed dead code to imapd, but draw your own conclusions... (* Security fix *)

Where Find New Packages

Updated packages for Slackware 8.1: ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/ ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/
Updated packages for Slackware 9.0: ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/ ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/
Updated packages for Slackware 9.1: ftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/ ftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/
Updated packages for Slackware 10.0: ftp://ftp.slackware.com/pub/slackware/slackware-10.0/patches/packages/ ftp://ftp.slackware.com/pub/slackware/slackware-10.0/patches/packages/
Updated packages for Slackware 10.1: ftp://ftp.slackware.com/pub/slackware/slackware-10.1/patches/packages/ ftp://ftp.slackware.com/pub/slackware/slackware-10.1/patches/packages/
Updated packages for Slackware 10.2: ftp://ftp.slackware.com/pub/slackware/slackware-10.2/patches/packages/ ftp...

Read the Full Advisory

MD5 Signatures

Slackware 8.1 packages: 78d3d037b97f17c111072c5d4c38e9f2 imapd-4.64-i386-1.tgz 1c85ca280ccc67126bc6dc1dca975627 pine-4.64-i386-1.tgz
Slackware 9.0 packages: b7441e48990c943a407e624297462bcf imapd-4.64-i386-1.tgz 511f23cdfad804091c2cd19535049921 pine-4.64-i386-1.tgz
Slackware 9.1 packages: 7a2ad708d914c8b5a87bdeefa008c85b imapd-4.64-i486-1.tgz 2b9d497ab55f4d3ffaf5f9e14a4d8b7b pine-4.64-i486-1.tgz
Slackware 10.0 packages: 87c82d442781a04cf0f9fd5e49e22732 imapd-4.64-i486-1.tgz d311d9f79910d828511e5509de6215f2 pine-4.64-i486-1.tgz
Slackware 10.1 packages: 445d1414e92aaf236d277f09cff074ea imapd-4.64-i486-1.tgz ed694c28eae7fb967a510b8c71137ceb pine-4.64-i486-1.tgz
Slackware 10.2 packages: 1e74b74199a891851347f05f77585c35 imapd-4.64-i486-1.tgz 874997ce55e5700854fcdd4b5c8cbe8d pine-4.64-i486-1.tgz
Slackware -current packages: 874997ce55e5700854fcdd4b5c8cbe8d pine-4.64-i486-1.tgz 1e74b74199a891851347f05f77585c35 imapd-4.64-i486-1.tgz

Severity
[slackware-security] imapd (SSA:2005-310-06)
New imapd packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, 10.2, and -current to fix (an alleged) security issue. See the details below for more information. Also, new Pine packages are provided since these are built together... why not? Might as well upgrade that too, while I'm fixing the fake security problem. :-)

Installation Instructions

Installation instructions: Upgrade the packages as root: # upgradepkg pine-4.64-i486-1.tgz imapd-4.64-i486-1.tgz

Related News

The End of the Road for Linux 6.11: A Call to Upgrade to Kernel 6.12
3 - 5 min read
The Linux kernel community recently issued an EOL announcement regarding the 6.11 kernel series, urging sysadmins to upgrade quickly to 6.12 . This
A Linux Admin
3 - 6 min read
As 2025 approaches, we Linux admins are facing new and often unseen cloud-native security obstacles. While skilled at mitigating known risks,
Leveraging Insights from the Linux Foundation
3 - 5 min read
The Linux Foundation's recent Census III report provides critical insights for Linux administrators, information security professionals, and anyone
Chrome 131 Released: Emergency Security Update Fixes Over a Dozen Significant Vulns
3 - 6 min read
Google recently unveiled a critical security update to their popular web browser, Google Chrome, addressing over a dozen significant security
From Wayland Fixes to Security Boosts: Examining Qt 6.8.1
3 - 6 min read
The recent Qt 6.8.1 release brings significant updates and improvements, strengthening its reputation as a secure and reliable application
Exploring Arch Linux 2024.12.01: Security Implications & Notable Enhancements for Linux Admins
3 - 6 min read
The Arch Linux 2024.12.01 ISO release marks an impressive milestone, offering cutting-edge updates that enhance functionality, streamline
Deck the Halls with Enhanced Security: Linux Kernel 6.13
3 - 5 min read
As Linux admins and infosec professionals prepare for the holiday season, there's much cause for celebration this year! Linus Torvalds recently made
Lessons from Bootkitty: Securing Linux Systems Against UEFI Intrusions
3 - 5 min read
New Linux security threats mark critical junctures that challenge existing policies and test security protocols to their limit. One such milestone

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved