[USN-666-1] Dovecot vulnerability
Date: Fri, 7 Nov 2008 12:21:26 -0800
From: Kees Cook <kees@ubuntu.com.>
To: [email protected]
Subject: [USN-666-1] Dovecot vulnerability
Message-ID: <20081107202126.GA9448@outflux.net.>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="UlxN1C6awaFNesUv"
Content-Disposition: inline
Organization: Ubuntu
X-MIMEDefang-Filter: outflux$Revision: 1.316 $
X-HELO: www.outflux.net
X-Scanned-By: MIMEDefang 2.63 on 10.2.0.1
X-Virus-Scanned: antivirus-gw at tyumen.ru
--UlxN1C6awaFNesUv
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Ubuntu Security Notice USN-666-1 November 07, 2008
dovecot vulnerability
CVE-2008-4907
A security issue affects the following Ubuntu releases:
Ubuntu 8.10
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 8.10:
dovecot-imapd 1:1.1.4-0ubuntu1.2
In general, a standard system upgrade is sufficient to effect the
necessary changes.
Details follow:
It was discovered that certain email headers were not correctly handled
by Dovecot. If a remote attacker sent a specially crafted email to a
user with a mailbox managed by Dovecot, that user's mailbox would become
inaccessible through Dovecot, leading to a denial of service.
Updated packages for Ubuntu 8.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_1.1.4-0ubuntu1.2.diff.gz
Size/MD5: 929264 081dd67323ef5a912d1865e422d85263
http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_1.1.4-0ubuntu1.2.dsc
Size/MD5: 1669 b5c959d8dab7b22fefe3e5d5c2768eba
http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_1.1.4.orig.tar.gz
Size/MD5: 2314155 0050dd609cb456c8e52565a85373df28
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-common_1.1.4-0ubuntu1.2_amd64.deb
Size/MD5: 3747338 3799442c47220a147d59cc8ea762e6f0
http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-dev_1.1.4-0ubuntu1.2_amd64.deb
Size/MD5: 549718 0717edc4a2d53ef34b32a3156effe2d1
http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-imapd_1.1.4-0ubuntu1.2_amd64.deb
Size/MD5: 950200 eb99baa9acac66128192bdb701f875aa
http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-pop3d_1.1.4-0ubuntu1.2_amd64.deb
Size/MD5: 905260 5ab8030f635d679a3f5b10cf8282a4f5
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-common_1.1.4-0ubuntu1.2_i386.deb
Size/MD5: 3516848 141649512b9ff346eab0582b9338da54
http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-dev_1.1.4-0ubuntu1.2_i386.deb
Size/MD5: 549726 2b611d99e2ff5c2a38938368d2580a0b
http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-imapd_1.1.4-0ubuntu1.2_i386.deb
Size/MD5: 921466 68f6e84f7bfe01d31c2ff8dc344ea658
http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-pop3d_1.1.4-0ubuntu1.2_i386.deb
Size/MD5: 875480 1a2aed36f01b569b9bde6b77a29157e4
lpia architecture (Low Power Intel Architecture):
http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-common_1.1.4-0ubuntu1.2_lpia.deb
Size/MD5: 3467624 c287e35fb5f3a1e9b9b4485dc13f07de
http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-dev_1.1.4-0ubuntu1.2_lpia.deb
Size/MD5: 549724 a59177a273803bf9d313a53f3f726729
http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-imapd_1.1.4-0ubuntu1.2_lpia.deb
Size/MD5: 913584 a5a5527a95dbb554e57bbca83396bb36
http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-pop3d_1.1.4-0ubuntu1.2_lpia.deb
Size/MD5: 869452 52d67f818a62a02f97b12c7dde9a150a
powerpc architecture (Apple Macintosh G3/G4/G5):
http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-common_1.1.4-0ubuntu1.2_powerpc.deb
Size/MD5: 3815682 21cd45362a782fe289b9662a76079848
http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-dev_1.1.4-0ubuntu1.2_powerpc.deb
Size/MD5: 549740 36d967f8b1277511a9d0ee284c87170c
http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-imapd_1.1.4-0ubuntu1.2_powerpc.deb
Size/MD5: 967488 26e8dd0e8509d5b7b604eeee3108e2c5
http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-pop3d_1.1.4-0ubuntu1.2_powerpc.deb
Size/MD5: 917536 6b45a5aead48627af5cdd92800d33f74
sparc architecture (Sun SPARC/UltraSPARC):
http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-common_1.1.4-0ubuntu1.2_sparc.deb
Size/MD5: 3508674 fbe66dded65cdefbb6ba8f80961db9e1
http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-dev_1.1.4-0ubuntu1.2_sparc.deb
Size/MD5: 549760 d85ddfbdafa5010d8521eb044ee19860
http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-imapd_1.1.4-0ubuntu1.2_sparc.deb
Size/MD5: 918904 2daa617cefe075bce509e4b370b8849e
http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-pop3d_1.1.4-0ubuntu1.2_sparc.deb
Size/MD5: 872424 0127029046c17431687c4eefba5557f4
--UlxN1C6awaFNesUv
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Kees Cook <kees@outflux.net.>
iEYEARECAAYFAkkUo0YACgkQH/9LqRcGPm1kjQCgjc8mVmAukCMIouQc+vpNQ1gy
T6sAn23HuIkhZkm9MZAs1Nvg8Sg9A6pY
=cRH5
-----END PGP SIGNATURE-----
--UlxN1C6awaFNesUv--