The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


[USN-487-1] Dovecot vulnerability


<< Previous INDEX Search src / Print Next >>
Date: Tue, 17 Jul 2007 14:57:01 -0700
From: Kees Cook <kees@ubuntu.com.>
To: [email protected]
Subject: [USN-487-1] Dovecot vulnerability
Message-ID: <20070717215701.GF11087@outflux.net.>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
        protocol="application/pgp-signature"; boundary="ahZICQ7iXVM/oLYH"
Content-Disposition: inline
Organization: Ubuntu
X-MIMEDefang-Filter: outflux$Revision: 1.281 $
X-HELO: gorgon.outflux.net
X-Scanned-By: MIMEDefang 2.57 on 10.2.0.1
X-Virus-Scanned: antivirus-gw at tyumen.ru


--ahZICQ7iXVM/oLYH
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=20
Ubuntu Security Notice USN-487-1              July 17, 2007
dovecot vulnerability
CVE-2007-2231
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS
Ubuntu 6.10
Ubuntu 7.04

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
  dovecot-common                           1.0.beta3-3ubuntu5.5

Ubuntu 6.10:
  dovecot-common                           1.0.rc2-1ubuntu2.2

Ubuntu 7.04:
  dovecot-common                           1.0.rc17-1ubuntu2.1

In general, a standard system upgrade is sufficient to effect the
necessary changes.

Details follow:

It was discovered that Dovecot, when configured to use non-system-user
spools and compressed folders, would allow directory traversals in
mailbox names.  Remote authenticated users could potentially read email
owned by other users.


Updated packages for Ubuntu 6.06 LTS:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_1.0.beta3=
-3ubuntu5.5.diff.gz
      Size/MD5:   469298 29bd87efba635fd5eedb3895d20acc46
    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_1.0.beta3=
-3ubuntu5.5.dsc
      Size/MD5:      867 5036d7a6d364a2ad840b0d54e3339f38
    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_1.0.beta3=
=2Eorig.tar.gz
      Size/MD5:  1360574 5418f9f7fe99e4f10bb82d9fe504138a

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-common_1.=
0.beta3-3ubuntu5.5_amd64.deb
      Size/MD5:   962840 6cca1d5abd731afba38bb29f6c9933f5
    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-imapd_1.0=
=2Ebeta3-3ubuntu5.5_amd64.deb
      Size/MD5:   532874 e9e41c0952c466de86cb5ce0e6587a22
    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-pop3d_1.0=
=2Ebeta3-3ubuntu5.5_amd64.deb
      Size/MD5:   500994 bc7b6969f03f5f311848410e935dfded

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-common_1.=
0.beta3-3ubuntu5.5_i386.deb
      Size/MD5:   838814 753181c3a1179a6ec1bd72b13dc5b9a4
    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-imapd_1.0=
=2Ebeta3-3ubuntu5.5_i386.deb
      Size/MD5:   486092 d11b682eb421301f797e80194b51b67b
    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-pop3d_1.0=
=2Ebeta3-3ubuntu5.5_i386.deb
      Size/MD5:   456858 d8ca7cb44101b96455b891e9e42bc5b3

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-common_1.=
0.beta3-3ubuntu5.5_powerpc.deb
      Size/MD5:   941292 e1d73b71061280687181e8f938b8e264
    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-imapd_1.0=
=2Ebeta3-3ubuntu5.5_powerpc.deb
      Size/MD5:   526582 4f89130337e474c68a419f4724cf1aa4
    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-pop3d_1.0=
=2Ebeta3-3ubuntu5.5_powerpc.deb
      Size/MD5:   494322 ebbdc5b738172d4dfc6b25ec39ddfa91

  sparc architecture (Sun SPARC/UltraSPARC)

    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-common_1.=
0.beta3-3ubuntu5.5_sparc.deb
      Size/MD5:   855402 12181c54c433922b9eee15f585a0ae8f
    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-imapd_1.0=
=2Ebeta3-3ubuntu5.5_sparc.deb
      Size/MD5:   492088 9d4880192868043bbc62096ea23ac2e0
    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-pop3d_1.0=
=2Ebeta3-3ubuntu5.5_sparc.deb
      Size/MD5:   462252 5f62fd110c14911bcfb406a84703cb5d

Updated packages for Ubuntu 6.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_1.0.rc2-1=
ubuntu2.2.diff.gz
      Size/MD5:   473084 483a9eb80e9750acdf385ed824056db9
    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_1.0.rc2-1=
ubuntu2.2.dsc
      Size/MD5:      900 11dc25bceb20c8e6d6870b53f38bdc3c
    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_1.0.rc2.o=
rig.tar.gz
      Size/MD5:  1257435 e27a248b2ee224e4618aa2f020150041

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-common_1.=
0.rc2-1ubuntu2.2_amd64.deb
      Size/MD5:   936296 0ae0d9e4217dae4b910b489670f25a5e
    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-imapd_1.0=
=2Erc2-1ubuntu2.2_amd64.deb
      Size/MD5:   387028 dee13d869de26b760f55f2ca79aa9459
    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-pop3d_1.0=
=2Erc2-1ubuntu2.2_amd64.deb
      Size/MD5:   353208 7f8cd14c0f45fa2d60b81112361e47ea

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-common_1.=
0.rc2-1ubuntu2.2_i386.deb
      Size/MD5:   833674 a8f0594ac17eaf15b7b8574bed437d8a
    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-imapd_1.0=
=2Erc2-1ubuntu2.2_i386.deb
      Size/MD5:   354212 31a82ddd4094a0293bd80e20387e734a
    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-pop3d_1.0=
=2Erc2-1ubuntu2.2_i386.deb
      Size/MD5:   323498 69cb3e9d2aad06b53627a0da1f2f0cf5

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-common_1.=
0.rc2-1ubuntu2.2_powerpc.deb
      Size/MD5:   924998 9158a6ee1b882ec64d2e7bd0ad337ebe
    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-imapd_1.0=
=2Erc2-1ubuntu2.2_powerpc.deb
      Size/MD5:   385336 9608f3975460aea5cf553d454f6522ff
    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-pop3d_1.0=
=2Erc2-1ubuntu2.2_powerpc.deb
      Size/MD5:   352020 9facc03f70e9d7ad823ef0ed4b6fc20c

  sparc architecture (Sun SPARC/UltraSPARC)

    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-common_1.=
0.rc2-1ubuntu2.2_sparc.deb
      Size/MD5:   820528 97f8b26eba76a6351c60f2ff2d02a48d
    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-imapd_1.0=
=2Erc2-1ubuntu2.2_sparc.deb
      Size/MD5:   347752 b8ce2d4174b4aefee2ddaa311d0db376
    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-pop3d_1.0=
=2Erc2-1ubuntu2.2_sparc.deb
      Size/MD5:   316908 d5b9a64f49f61f617e73d6371a3f9ed1

Updated packages for Ubuntu 7.04:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_1.0.rc17-=
1ubuntu2.1.diff.gz
      Size/MD5:    99862 9bf881b3592e2d48e4b31123fe43563b
    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_1.0.rc17-=
1ubuntu2.1.dsc
      Size/MD5:     1099 c657aea243cfbeac420794c0a43bae95
    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_1.0.rc17.=
orig.tar.gz
      Size/MD5:  1512386 881bcc7d2c8fba6d337f3e616a602bf7

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-common_1.=
0.rc17-1ubuntu2.1_amd64.deb
      Size/MD5:  1274644 46145219067be168cfe05961140faabf
    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-imapd_1.0=
=2Erc17-1ubuntu2.1_amd64.deb
      Size/MD5:   586540 eac2b3216e1f76c20354c322f3b1bae0
    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-pop3d_1.0=
=2Erc17-1ubuntu2.1_amd64.deb
      Size/MD5:   552280 cffa97e43063a8c27382b302541cf00b

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-common_1.=
0.rc17-1ubuntu2.1_i386.deb
      Size/MD5:  1164578 45655df2ab5d68ab09c17a52b286fef5
    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-imapd_1.0=
=2Erc17-1ubuntu2.1_i386.deb
      Size/MD5:   554174 33f48b9b7d8639ccb75cbccbaa48e59d
    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-pop3d_1.0=
=2Erc17-1ubuntu2.1_i386.deb
      Size/MD5:   521498 c7094f9dd1fabcae02f4e535d24c9c7f

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-common_1.=
0.rc17-1ubuntu2.1_powerpc.deb
      Size/MD5:  1291064 6b55bb639475bcecbf00655ad6cd27ea
    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-imapd_1.0=
=2Erc17-1ubuntu2.1_powerpc.deb
      Size/MD5:   590906 6afd3063c2bbe6c46119d7c2bf0114a1
    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-pop3d_1.0=
=2Erc17-1ubuntu2.1_powerpc.deb
      Size/MD5:   556068 009c76cc27d1812d2abf6d997116e500

  sparc architecture (Sun SPARC/UltraSPARC)

    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-common_1.=
0.rc17-1ubuntu2.1_sparc.deb
      Size/MD5:  1158070 25978232a1680992b84edc754f9f42e9
    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-imapd_1.0=
=2Erc17-1ubuntu2.1_sparc.deb
      Size/MD5:   549476 d9d6f94295f77b1d42f6775e38475fd1
    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-pop3d_1.0=
=2Erc17-1ubuntu2.1_sparc.deb
      Size/MD5:   517012 58f2daca2b94c95c66f30277f8401373


--ahZICQ7iXVM/oLYH
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGnTstH/9LqRcGPm0RAgSEAKCWTh0XNXoq2KI7v/ioij2n4LBmLwCfWkkE
lagMc7QGFVYBsr3w2WjCe0I=
=NWEY
-----END PGP SIGNATURE-----

--ahZICQ7iXVM/oLYH--


<< Previous INDEX Search src / Print Next >>



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей
Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру