Similar to my thread about updating the qmail package version, we now have PCI compliance vendors failing us over the version of Courier-IMAP included with InterWorx. We have seen Control Scan fail clients over it. And this morning Security Metrics failed one of our clients with:
Description: possible format string vulnerability in Courier IMAP Severity: Potential Problem CVE: CVE-2004-0777 Impact: A remote attacker could execute arbitrary commands. Background: Courier IMAP provides IMAP service for Courier Mail Server and is also packaged separately for use with Qmail, Exim, and Postfix mail servers. Resolution [Courier Mail Server - latest releases] Upgrade to Courier IMAP 3.0.4 or higher, or set DEBUG_LOGIN equal to the default value of 0 in the IMAP configuration file, which is typically located in /usr/lib/courier-imap/etc/imapd. Vulnerability Details: Service: imap
That is a false positive, but it can only be corrected by a documentation process per-client.
The current version from InterWorx is v2.1.2, but the latest from the Courier team is v4.9.3. I am requesting this package be upgraded when possible so we don’t have to handle a false-positive per client that needs PCI compliance.
[SIZE=1]Note: I would attempt an upgrade myself, but I’m assuming something would break in the control panel.[/SIZE]