Overview

File _patchinfo of Package patchinfo.2645

<patchinfo incident="2645">
  <issue id="981670" tracker="bnc">VUL-0: CVE-2015-8076: cyrus-imapd: urlfetch range handling flaw in Cyrus</issue>
  <issue id="901748" tracker="bnc">VUL-1: CVE-2014-3566: cyrus-imap: POODLE: add patch to allow disabling of SSL</issue>
  <issue id="954200" tracker="bnc">VUL-0: CVE-2015-8077: cyrus-imapd: Integer overflow in range checks</issue>
  <issue id="954201" tracker="bnc">VUL-0: CVE-2015-8078: cyrus-imapd: Integer overflow in index_urlfetch</issue>
  <issue id="860611" tracker="bnc"> cyrus-imapd: enable ECDHE support</issue>  
  <issue id="CVE-2015-8076" tracker="cve" />
  <issue id="CVE-2015-8078" tracker="cve" />
  <issue id="CVE-2014-3566" tracker="cve" />
  <issue id="CVE-2015-8077" tracker="cve" />
  <category>security</category>
  <rating>important</rating>
  <packager>simotek</packager>
  <description>
- Previous versions of cyrus-imapd would not allow its users to disable old
  protocols like SSLv1 and SSLv2 that are unsafe due to various known attacks
  like BEAST and POODLE. https://bugzilla.cyrusimap.org/show_bug.cgi?id=3867
  remedies this issue by adding the configuration option 'tls_versions' to the
  imapd.conf file. Note that users who upgrade existing installation of this
  package will *not* have their imapd.conf file overwritten, i.e. their IMAP
  server will continue to support SSLv1 and SSLv2 like before. To disable
  support for those protocols, it's necessary to edit imapd.conf manually to
  state "tls_versions: tls1_0 tls1_1 tls1_2". New installations, however, will
  have an imapd.conf file that contains these settings already, i.e. newly
  installed IMAP servers do *not* support SSLv1 and SSLv2 unless that support
  is explicitly enabled by the user. (bsc#901748)

- An integer overflow vulnerability in cyrus-imapd's urlfetch range checking
  code was fixed. (CVE-2015-8076, CVE-2015-8077, CVE-2015-8078, bsc#981670,
  bsc#954200, bsc#954201)

- Support for Elliptic Curve Diffie–Hellman (ECDH) has been added to
  cyrus-imapd. (bsc#860611)
</description>
  <summary>Security update for cyrus-imapd</summary>
</patchinfo>
openSUSE Build Service is sponsored by
Places