The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


[USN-567-1] Dovecot vulnerability


<< Previous INDEX Search src / Print Next >>
Date: Thu, 10 Jan 2008 14:01:59 -0800
From: Kees Cook <kees@ubuntu.com.>
To: [email protected]
Subject: [USN-567-1] Dovecot vulnerability
Message-ID: <20080110220159.GN17869@outflux.net.>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
        protocol="application/pgp-signature"; boundary="xku3GkZTJumTa1rO"
Content-Disposition: inline
Organization: Ubuntu
X-MIMEDefang-Filter: outflux$Revision: 1.304 $
X-HELO: www.outflux.net
X-Scanned-By: MIMEDefang 2.57 on 10.2.0.1
X-Virus-Scanned: antivirus-gw at tyumen.ru


--xku3GkZTJumTa1rO
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=20
Ubuntu Security Notice USN-567-1           January 10, 2008
dovecot vulnerability
CVE-2007-6598
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D

A security issue affects the following Ubuntu releases:

Ubuntu 7.04
Ubuntu 7.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 7.04:
  dovecot-imapd                   1.0.rc17-1ubuntu2.2
  dovecot-pop3d                   1.0.rc17-1ubuntu2.2

Ubuntu 7.10:
  dovecot-imapd                   1:1.0.5-1ubuntu2.1
  dovecot-pop3d                   1:1.0.5-1ubuntu2.1

In general, a standard system upgrade is sufficient to effect the
necessary changes.

Details follow:

It was discovered that in very rare configurations using LDAP, Dovecot may
reuse cached connections for users with the same password.  As a result,
a user may be able to login as another if the connection is reused.
The default Ubuntu configuration of Dovecot was not vulnerable.


Updated packages for Ubuntu 7.04:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_1.0.rc17-=
1ubuntu2.2.diff.gz
      Size/MD5:   101513 3a05fe3f2bdcd39c32e0a650b61c9b18
    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_1.0.rc17-=
1ubuntu2.2.dsc
      Size/MD5:     1100 89b4ea9a138396356ce51947d4a958b8
    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_1.0.rc17.=
orig.tar.gz
      Size/MD5:  1512386 881bcc7d2c8fba6d337f3e616a602bf7

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-common_1.=
0.rc17-1ubuntu2.2_amd64.deb
      Size/MD5:  1274744 7c4aea65aa4b2c8360ca296e4c7dd11b
    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-imapd_1.0=
=2Erc17-1ubuntu2.2_amd64.deb
      Size/MD5:   586662 3a4c663dd70057ff8a559512880f88b5
    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-pop3d_1.0=
=2Erc17-1ubuntu2.2_amd64.deb
      Size/MD5:   552404 d3c2ce0c2eb3aa58f8b17dad3fc4ee8f

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-common_1.=
0.rc17-1ubuntu2.2_i386.deb
      Size/MD5:  1164784 517cb8721acce093e3435565a2163a0e
    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-imapd_1.0=
=2Erc17-1ubuntu2.2_i386.deb
      Size/MD5:   554298 eb6fbeeeee1889303647318298ad5150
    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-pop3d_1.0=
=2Erc17-1ubuntu2.2_i386.deb
      Size/MD5:   521626 a82bae1bb6e26289a91166bc77f1a23b

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-common_1.=
0.rc17-1ubuntu2.2_powerpc.deb
      Size/MD5:  1291322 a4df46fd2fac7456d425bf66b5862188
    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-imapd_1.0=
=2Erc17-1ubuntu2.2_powerpc.deb
      Size/MD5:   591040 a27429b620664c82ada26d6cbfafcbc5
    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-pop3d_1.0=
=2Erc17-1ubuntu2.2_powerpc.deb
      Size/MD5:   556188 16c2bdae0d14a402644c8c58439fa75c

  sparc architecture (Sun SPARC/UltraSPARC):

    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-common_1.=
0.rc17-1ubuntu2.2_sparc.deb
      Size/MD5:  1158252 875a51f7b4ee7c81ada93481e2fc7487
    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-imapd_1.0=
=2Erc17-1ubuntu2.2_sparc.deb
      Size/MD5:   549596 75f43e94538ed72b7342b3ed00ba6005
    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-pop3d_1.0=
=2Erc17-1ubuntu2.2_sparc.deb
      Size/MD5:   517136 7a6bc0cd8bbf73514d54624431e8c1b3

Updated packages for Ubuntu 7.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_1.0.5-1ub=
untu2.1.diff.gz
      Size/MD5:   107642 9e04e08b57194364c8248332817049e3
    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_1.0.5-1ub=
untu2.1.dsc
      Size/MD5:     1115 0e95044d51301ec964cf96bda69f1a0a
    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_1.0.5.ori=
g.tar.gz
      Size/MD5:  1775898 94b7d29cf44f63f89d538361afa05c40

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-common_1.=
0.5-1ubuntu2.1_amd64.deb
      Size/MD5:  1814690 3c1b2d9247c7f246eb8c59b9d04a4362
    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-imapd_1.0=
=2E5-1ubuntu2.1_amd64.deb
      Size/MD5:   654514 7140315d855e7fab6d796be4166514a4
    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-pop3d_1.0=
=2E5-1ubuntu2.1_amd64.deb
      Size/MD5:   617618 8c73c94bd43e89da32a0549c0c4218b6

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-common_1.=
0.5-1ubuntu2.1_i386.deb
      Size/MD5:  1672926 1b323221b09fca189b471079f1ee5612
    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-imapd_1.0=
=2E5-1ubuntu2.1_i386.deb
      Size/MD5:   621486 fa8977d8a945022fcdcf460d25d57141
    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-pop3d_1.0=
=2E5-1ubuntu2.1_i386.deb
      Size/MD5:   588164 df780cc94e95fabf7793139ed8ca4c1e

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-common_1.=
0.5-1ubuntu2.1_powerpc.deb
      Size/MD5:  1831950 d79e9f2cd81daab0eb7ae642d0444a0e
    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-imapd_1.0=
=2E5-1ubuntu2.1_powerpc.deb
      Size/MD5:   656610 941223abf4f45c00434ff50a1323efad
    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-pop3d_1.0=
=2E5-1ubuntu2.1_powerpc.deb
      Size/MD5:   621772 c4557afdeac4488718e3e4cd7d66aed6

  sparc architecture (Sun SPARC/UltraSPARC):

    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-common_1.=
0.5-1ubuntu2.1_sparc.deb
      Size/MD5:  1666806 8dc28e714f31d687a1283f888f8b6301
    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-imapd_1.0=
=2E5-1ubuntu2.1_sparc.deb
      Size/MD5:   618418 f7f5afcaf0de5164b0f1189dabb7761d
    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-pop3d_1.0=
=2E5-1ubuntu2.1_sparc.deb
      Size/MD5:   585178 fdb2b1bfc470ed595671596656d1e12c


--xku3GkZTJumTa1rO
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHhpXXH/9LqRcGPm0RAt3KAJsF5CgegDZ48PBAV2kCLY4E9omFRwCfbkeo
QNWHhXj0QGhFx93fhN0QeSA=
=VlyV
-----END PGP SIGNATURE-----

--xku3GkZTJumTa1rO--


<< Previous INDEX Search src / Print Next >>



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей
Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру