GLSA Bodhisattva
Joined: 25 Feb 2003 Posts: 3829 Location: Essen, Germany
|
Posted: Wed Feb 02, 2005 11:19 am Post subject: [ GLSA 200502-02 ] UW IMAP: CRAM-MD5 authentication bypass |
|
|
Gentoo Linux Security Advisory
Title: UW IMAP: CRAM-MD5 authentication bypass (GLSA 200502-02)
Severity: normal
Exploitable: remote
Date: February 02, 2005
Updated: May 22, 2006
Bug(s): #79874
ID: 200502-02
Synopsis
UW IMAP contains a vulnerability in the code handling CRAM-MD5 authentication allowing authentication bypass.
Background
UW IMAP is the University of Washington IMAP toolkit which includes POP3 and IMAP daemons.
Affected Packages
Package: net-mail/uw-imap
Vulnerable: <= 2004a
Unaffected: >= 2004b
Architectures: All supported architectures
Description
A logic bug in the code handling CRAM-MD5 authentication incorrectly specifies the condition for successful authentication.
Impact
An attacker could exploit this vulnerability to authenticate as any mail user on a server with CRAM-MD5 authentication enabled.
Workaround
Disable CRAM-MD5 authentication.
Resolution
All UW IMAP users should upgrade to the latest version: Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=net-mail/uw-imap-2004b" |
References
US-CERT VU#702777
CVE-2005-0198
Last edited by GLSA on Mon May 22, 2006 4:18 am; edited 2 times in total |
|