Upgrade courier-imap package

jimp · October 25, 2011, 9:32am

Similar to my thread about updating the qmail package version, we now have PCI compliance vendors failing us over the version of Courier-IMAP included with InterWorx. We have seen Control Scan fail clients over it. And this morning Security Metrics failed one of our clients with:

Description: possible format string vulnerability in Courier IMAP Severity: Potential Problem CVE: CVE-2004-0777 Impact: A remote attacker could execute arbitrary commands. Background: Courier IMAP provides IMAP service for Courier Mail Server and is also packaged separately for use with Qmail, Exim, and Postfix mail servers. Resolution [Courier Mail Server - latest releases] Upgrade to Courier IMAP 3.0.4 or higher, or set DEBUG_LOGIN equal to the default value of 0 in the IMAP configuration file, which is typically located in /usr/lib/courier-imap/etc/imapd. Vulnerability Details: Service: imap

That is a false positive, but it can only be corrected by a documentation process per-client.

The current version from InterWorx is v2.1.2, but the latest from the Courier team is v4.9.3. I am requesting this package be upgraded when possible so we don’t have to handle a false-positive per client that needs PCI compliance.

[SIZE=1]Note: I would attempt an upgrade myself, but I’m assuming something would break in the control panel.[/SIZE]

phpmydev · December 26, 2011, 3:39pm

I also have SecMetrics problems and Courier-Imap is one of them. If I update to 4.10 via the bz2 file - does anyone know if I will run into interworx mail issues? My current version is unknown, but secmetrics claims the port 143 is open and using courier-imap.

Thank you!

jimp · January 6, 2012, 11:31am

We just had another client fail PCI compliance (Security Metrics) over this. It again comes down to they are remotely guessing the version number and assuming InterWorx might have DEBUG_LOGIN enabled (it is not).

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0777

It would seem that upgrading would avoid having to file false positive reports with every PCI Compliance account we manage, but we don’t want to do that until someone from InterWorx can confirm that upgrading will not break anything - or an upgraded version is made available.

phpmydev · January 6, 2012, 11:47am

Edited /etc/cuorier/imap.cnf

Added
DEBUG_LOGIN=0
and passed SecMetrics’ test
just for the record, I did many other things - not pertaining to imap - to pass as well