24 May 2006 There is a serious flaw in all versions of imapproxy prior to 1.2.5rc2 that can crash it. imapproxy does not properly deal with string literals sent from clients in Not Authenticated State.

This bug is actively exploited by IMP version 4.1.1, since it may send username data as a string literal as part of the LOGIN command, and could be exploited by any host on the internet if a crafted IMAP command is sent to imapproxy in Not Authenticated State.

As a temporary workaround, do not upgrade to IMP 4.1.1 if you're currently running an older version and use a firewall (either host-based or external) to limit access to imapproxy such that only your webmail server may connect to it.

This bug has been worked around in 1.2.5rc2, but not fixed. If imapproxy encounters a string literal instead of a username, it will simply close that connection instead of exiting. A full fix will be released in a later version of imapproxy, once the parsing engine has been rewritten.


17 Feb 2006 Fixes for the vulnerabilities listed in this CERT Bulletin (also Debian advisory DSA 852-1) are included in 1.2.5rc1. View the ChangeLog

10 Nov 2004 Fixes for the vulnerabilities listed in this CERT Bulletin and posted to BugTraq on 7-Nov-2004 were included in 1.2.3rc1 (released on 10-Nov-2004), and are in the release version of 1.2.3.