Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Mon, 14 May 2012 13:41:13 +0100
From: Steve Kemp <steve@...ve.org.uk>
To: oss-security@...ts.openwall.com
Subject: CVE request: Bytemark Symbiosis


  Symbiosis is an easy to use collection of tools, utilities,
 and configuration files for mass hosting virtual domains
 using Apache, Exim4, Dovecot, PureFTPD, and several other
 daemons.

  The code behind the system is freely available, and it
 is widely used by at least one hosting company.  The code
 itself is available, along with documentation, here:

    http://symbiosis.bytemark.co.uk/

  Unfortunately releases between these two mercurial
 identifiers contained a significant flaw:

  mercurial ID:   1068
  date:        Wed Feb 01 11:49:57 2012 +0000

  And

  changeset:   1326
  date:        Thu May 10 08:35:13 2012 +0100


  IMAP/POP3/SMTP authentication would accept any password
 for any valid email account.  (Logins are of the form
 $user@...main.)

  This was fixed with the following commit:

    https://projects.bytemark.co.uk/projects/symbiosis/repository/diff?rev=1327&rev_to=1322

  Please could a CVE identifier be allocated such that we
 may use it in our documentation.

Steve
-- 
Debian GNU/Linux System Administration
http://www.debian-administration.org/

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.