Content of this advisory: 1) security vulnerability resolved: CRAM-MD5 authentication bug problem description
1) problem description, brief discussion
The University of Washington imap daemon can be used to access mails remotely using the IMAP protocol.
This update fixes a logical error in the challenge response authentication mechanism CRAM-MD5 used by UW IMAP. Due to this mistake a remote attacker can gain access to the IMAP server as arbitrary user.
This is tracked by the Mitre CVE ID CAN-2005-0198.
Maybe this is related to this and a new thing is broken within. Anybody with the same Problems? Since novell is here I get strange errors after each updates and it seems for me there is not enough error-checking of updates since then. The server (web & mailserver behind a firewall) has been rebooted after the kernel update to get changes affected on it. Now I see something is broken within latest kernelupdate. I get errors on FTP, imap, smtp while authentificating (strange, with samba and ssh there is no such error): Output on FTP-Login from my ftp-client: Status: Connecting with x.x.x.x... Status: Connecting with x.x.x.x. Waiting for welcome message... Answer: 220 "Welcome message." Command: USER my_user Answer: 331 Please specify the password. Command: PASS ***** Answer: 500 OOPS: capset Answer: 230 Login successful. Error: Connection cannot be established! E-Mail: I get errors that the server cannot be connected. Once I restart the related service I don't get any errors back. I didn't check if the error occurs a second time. Any suggestions? Strange as well: After update to 9.1 the loggs are too full and logrotate does not rotate them as well (any hints there as well?). Especially SuSE-Firewall-Logs. Reguards Philippe