Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <4FB1527E.9030005@redhat.com>
Date: Mon, 14 May 2012 12:44:14 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Steve Kemp <steve@...ve.org.uk>
Subject: Re: CVE request: Bytemark Symbiosis

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/14/2012 06:41 AM, Steve Kemp wrote:
> 
> Symbiosis is an easy to use collection of tools, utilities, and
> configuration files for mass hosting virtual domains using Apache,
> Exim4, Dovecot, PureFTPD, and several other daemons.
> 
> The code behind the system is freely available, and it is widely
> used by at least one hosting company.  The code itself is
> available, along with documentation, here:
> 
> http://symbiosis.bytemark.co.uk/
> 
> Unfortunately releases between these two mercurial identifiers
> contained a significant flaw:
> 
> mercurial ID:   1068 date:        Wed Feb 01 11:49:57 2012 +0000
> 
> And
> 
> changeset:   1326 date:        Thu May 10 08:35:13 2012 +0100
> 
> 
> IMAP/POP3/SMTP authentication would accept any password for any
> valid email account.  (Logins are of the form $user@...main.)
> 
> This was fixed with the following commit:
> 
> https://projects.bytemark.co.uk/projects/symbiosis/repository/diff?rev=1327&rev_to=1322
>
>  Please could a CVE identifier be allocated such that we may use it
> in our documentation.

Please use CVE-2012-2368 for this issue.

> Steve


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPsVJ9AAoJEBYNRVNeJnmT0KMP/RXheb+YHfhsp4fGngiIeiEt
1ST4l+4SChl6EMJra0Z8i/Zp1b3N0QBU44dUH6eWRQlpBH8EREmUiRIea3H3nL1+
hWac+y6Z/YZfODfoOljvE2/LrNue/eoyNUt4pT2W/UX5q3YsmIK2Seduhnm34n9N
2CmJB5cflu+x9zGUoHsiMNuI05eZbbeyxceXUmBEoEKO1j01tulhDlAzNCfDx3Fl
JbOm6vZBXotYlpJVEtbfU2tzVMOMB04FWzTh06Fh5ftwq4q0HxMsZ6TdTd82zX4y
yWn3xIfdSB4/zAkmJmnybpjLtSOlRz4R6YCPrKuLKk/6c8UPuDtDwYWxLslvTlMq
gWuMr/o/dKUVafQO2TMpSnKlhzOYq41GBmjDq7WDjsAcZppesUqp8CZcRaWZqkAn
dnqW7wOppG6o7GsTw7fO9Lmp4URZdVbFk99DL4IqBhbXUEtorchf5Q6tNRVgdW4v
UfdAiMKRjAa4M6uKqXGp4tf7s+S/Pwrt+T2O7LOjuzv/sDBUfifpazLCkRxeCzeU
patcWOvrrR9ttE3QyjKKkBVLZjkkj6hkVRRCq8fs6i9c8vr5da01Tc44T9TgNY7D
G+R8Ge1BBIsnOPk0VDIAOdbn3HCjtPpAUG91R0+01oNaP8/RiEZcGP83j17u9G35
T9WKsGHvheUmQMh1o4wj
=QAJN
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.