lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <20090923163610.2C93D848786@hannah.localdomain>
Date: Thu, 24 Sep 2009 02:36:10 +1000 (EST)
From: white@...ian.org (Steffen Joeris)
To: bugtraq@...urityfocus.com
Subject: [SECURITY] [DSA 1892-1] New dovecot packages fix arbitrary code execution

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-1892-1                  security@...ian.org
http://www.debian.org/security/                      Giuseppe Iuculano
September 23, 2009                    http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Packages       : dovecot
Vulnerability  : buffer overflow
Problem type   : local (remote)
Debian-specific: no
CVE IDs        : CVE-2009-2632 CVE-2009-3235
Debian Bug     : 546656

It was discovered that the SIEVE component of dovecot, a mail server
that supports mbox and maildir mailboxes, is vulnerable to a buffer
overflow when processing SIEVE scripts. This can be used to elevate
privileges to the dovecot system user.  An attacker who is able to
install SIEVE scripts executed by the server is therefore able to read
and modify arbitrary email messages on the system.


For the oldstable distribution (etch), this problem has been fixed in version
1.0.rc15-2etch5.

For the stable distribution (lenny), this problem has been fixed in version
1:1.0.15-2.3+lenny1.

For the testing distribution (squeeze) and the unstable distribution
(sid), this problem has been fixed in version 1:1.2.1-1.


We recommend that you upgrade your dovecot packages.


Upgrade instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch
- -------------------------------

Debian (oldstable)
- ------------------

Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

  http://security.debian.org/pool/updates/main/d/dovecot/dovecot_1.0.rc15-2etch5.diff.gz
    Size/MD5 checksum:   105496 25968ea91265d9c79869fd13e1cf18a7
  http://security.debian.org/pool/updates/main/d/dovecot/dovecot_1.0.rc15.orig.tar.gz
    Size/MD5 checksum:  1463069 26f3d2b075856b1b1d180146363819e6
  http://security.debian.org/pool/updates/main/d/dovecot/dovecot_1.0.rc15-2etch5.dsc
    Size/MD5 checksum:     1017 69660b4d8bd4c443a9e6a445cee73ae4

alpha architecture (DEC Alpha)

  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch5_alpha.deb
    Size/MD5 checksum:   583336 05cdd40c7eca4f076ebe18629d497b3b
  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch5_alpha.deb
    Size/MD5 checksum:   621512 58f8c92c7567a9c1ed6eee44979e7abf
  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch5_alpha.deb
    Size/MD5 checksum:  1378160 512ca0853d71066040c22daae6ff0e3a

amd64 architecture (AMD x86_64 (AMD64))

  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch5_amd64.deb
    Size/MD5 checksum:  1224200 c43f474ed1a38e2b717463faf4a603a9
  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch5_amd64.deb
    Size/MD5 checksum:   536502 9bc2da44bcb81f7c1d5a3381bc02c950
  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch5_amd64.deb
    Size/MD5 checksum:   570646 7a5e8aa209ecee48bbc9daa5c5364788

arm architecture (ARM)

  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch5_arm.deb
    Size/MD5 checksum:   506574 6a4be002eaaf4932161c03ef9a170e72
  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch5_arm.deb
    Size/MD5 checksum:   537184 d5d095c9771afaacfbd863f2f37700f6
  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch5_arm.deb
    Size/MD5 checksum:  1118568 c884c1632c4e20d9b6636806d2039b29

hppa architecture (HP PA RISC)

  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch5_hppa.deb
    Size/MD5 checksum:   561854 1911ecd7f8336deb46986f3f37fae039
  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch5_hppa.deb
    Size/MD5 checksum:  1297502 a965f31d08deb751b26ca9a7b467aa9c
  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch5_hppa.deb
    Size/MD5 checksum:   600138 867931a360b0bfeea1f3e28dfb073bf7

i386 architecture (Intel ia32)

  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch5_i386.deb
    Size/MD5 checksum:   514726 e2fe7ef8a944f84d59c4d13c2583f37f
  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch5_i386.deb
    Size/MD5 checksum:   547040 41d4f84120825e06e41ff079dabd0429
  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch5_i386.deb
    Size/MD5 checksum:  1135076 3e11a2b0f46ce7452760264a478a07a2

ia64 architecture (Intel ia64)

  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch5_ia64.deb
    Size/MD5 checksum:  1702256 e292ef2a99bb7868fd131574b0dcb876
  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch5_ia64.deb
    Size/MD5 checksum:   737696 b3ee10e9ca9b771fb7f15ed508173628
  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch5_ia64.deb
    Size/MD5 checksum:   793994 888618682b965c75167249e9177aea29

mipsel architecture (MIPS (Little Endian))

  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch5_mipsel.deb
    Size/MD5 checksum:   558948 c42d2f897b76a5635d45bc196dbb1fdf
  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch5_mipsel.deb
    Size/MD5 checksum:  1268494 800381d4b15c5857dabe79e37fd1003a
  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch5_mipsel.deb
    Size/MD5 checksum:   595020 33ff0bc5c3755320bd209d4837742a1a

powerpc architecture (PowerPC)

  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch5_powerpc.deb
    Size/MD5 checksum:  1212206 dcef8ac28680d74ed0e3e2586cd3d056
  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch5_powerpc.deb
    Size/MD5 checksum:   569890 b549032c41f1a1f2de3a96a99a92b2e8
  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch5_powerpc.deb
    Size/MD5 checksum:   536100 1e073cad6b24f04f1d10e43c3c2b5c7f

s390 architecture (IBM S/390)

  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch5_s390.deb
    Size/MD5 checksum:  1290172 fc78f024c57fd97448a1cab449d97c26
  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch5_s390.deb
    Size/MD5 checksum:   595622 4f35eef9b7f47a5689f1a3bffb0b1496
  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch5_s390.deb
    Size/MD5 checksum:   559910 472231dbce114cf79838f7c34d0850b9


Debian GNU/Linux 5.0 alias lenny
- --------------------------------

Debian (stable)
- ---------------

Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

  http://security.debian.org/pool/updates/main/d/dovecot/dovecot_1.0.15.orig.tar.gz
    Size/MD5 checksum:  1783347 aa39c11c18df6b95b64d4f04d793d77a
  http://security.debian.org/pool/updates/main/d/dovecot/dovecot_1.0.15-2.3+lenny1.dsc
    Size/MD5 checksum:     1614 d0b83408d8c8324fdfa03b80cdbed4f6
  http://security.debian.org/pool/updates/main/d/dovecot/dovecot_1.0.15-2.3+lenny1.diff.gz
    Size/MD5 checksum:   216038 45614e66070551b80bcbd803113f22d6

alpha architecture (DEC Alpha)

  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-dev_1.0.15-2.3+lenny1_alpha.deb
    Size/MD5 checksum:   389244 a5b09618e986ca9e9181ce1ae3ec693e
  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.15-2.3+lenny1_alpha.deb
    Size/MD5 checksum:   669230 3e0622750be09c51dae2b0ffee7d015c
  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.15-2.3+lenny1_alpha.deb
    Size/MD5 checksum:  2309838 6f608b22a263d8f5ef8768bbe7a728a6
  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.15-2.3+lenny1_alpha.deb
    Size/MD5 checksum:   709292 6c68631fa3541bc48ca897d98e498274

amd64 architecture (AMD x86_64 (AMD64))

  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-dev_1.0.15-2.3+lenny1_amd64.deb
    Size/MD5 checksum:   390826 7386cae0c224a81a3a69a4c59dc53b1b
  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.15-2.3+lenny1_amd64.deb
    Size/MD5 checksum:   632604 4f8004c08a2d8c56907571b015f279d8
  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.15-2.3+lenny1_amd64.deb
    Size/MD5 checksum:   669682 3ffaccbe054991901b258c204a59bd07
  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.15-2.3+lenny1_amd64.deb
    Size/MD5 checksum:  2106030 bde9f3caac387c20b423d71c3213aaac

arm architecture (ARM)

  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.15-2.3+lenny1_arm.deb
    Size/MD5 checksum:   620406 34980793a3cf093446b18614880d7c4d
  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-dev_1.0.15-2.3+lenny1_arm.deb
    Size/MD5 checksum:   390376 60ee2b17f10334253ea32654e741b006
  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.15-2.3+lenny1_arm.deb
    Size/MD5 checksum:   588296 12f73940ba5583e6c81a38a9d6663cdf
  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.15-2.3+lenny1_arm.deb
    Size/MD5 checksum:  1901028 3c23a98d1f07817db4a314865243ae13

armel architecture (ARM EABI)

  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-dev_1.0.15-2.3+lenny1_armel.deb
    Size/MD5 checksum:   391168 8049082b57c86d865d51679db193d5fa
  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.15-2.3+lenny1_armel.deb
    Size/MD5 checksum:   626970 2bcd781a52cac6cf397b5df9e1e144b1
  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.15-2.3+lenny1_armel.deb
    Size/MD5 checksum:   594616 1515c12da34869de4f5616fe6143aee0
  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.15-2.3+lenny1_armel.deb
    Size/MD5 checksum:  1932436 63c7c48a798aeb72d11b622057eb6ad5

hppa architecture (HP PA RISC)

  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-dev_1.0.15-2.3+lenny1_hppa.deb
    Size/MD5 checksum:   390606 ab3bd158a5930daad61b9dffb3bb130e
  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.15-2.3+lenny1_hppa.deb
    Size/MD5 checksum:   638882 e3ec95e636c33c400266c5419e18e864
  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.15-2.3+lenny1_hppa.deb
    Size/MD5 checksum:   677942 808cfe06b6b4325b9ea13008d35918b2
  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.15-2.3+lenny1_hppa.deb
    Size/MD5 checksum:  2162538 3f41711076b008bc16ee08e7e822f703

i386 architecture (Intel ia32)

  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.15-2.3+lenny1_i386.deb
    Size/MD5 checksum:  1938596 0113ec4318618383c6945ad66ac457ab
  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.15-2.3+lenny1_i386.deb
    Size/MD5 checksum:   602896 93b9ffb25946df4200203a236839d967
  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.15-2.3+lenny1_i386.deb
    Size/MD5 checksum:   636970 40f7a7785597f69f39991c35865c1df8
  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-dev_1.0.15-2.3+lenny1_i386.deb
    Size/MD5 checksum:   390674 615f9e862c4c2b14db2fbed7f3a0089f

ia64 architecture (Intel ia64)

  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.15-2.3+lenny1_ia64.deb
    Size/MD5 checksum:   878572 21ea3f8af009b4c0668310a1d42ff6e8
  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.15-2.3+lenny1_ia64.deb
    Size/MD5 checksum:  2857622 5710f0fe4c677388e61268c1b6d28a9a
  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-dev_1.0.15-2.3+lenny1_ia64.deb
    Size/MD5 checksum:   389246 afaa27855049264e8d1bc6272c619c68
  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.15-2.3+lenny1_ia64.deb
    Size/MD5 checksum:   818126 94b7b844dfb2d352901a0570dcc9446a

mips architecture (MIPS (Big Endian))

  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-dev_1.0.15-2.3+lenny1_mips.deb
    Size/MD5 checksum:   389274 39038f291d9e447928d0ce4cc69547f8
  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.15-2.3+lenny1_mips.deb
    Size/MD5 checksum:   631574 6c011d890fb624ab2fb42f9d531c56c6
  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.15-2.3+lenny1_mips.deb
    Size/MD5 checksum:  2104730 a5c2b94943df80bb457afdb7ebdd1047
  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.15-2.3+lenny1_mips.deb
    Size/MD5 checksum:   668110 027bdd8d539ad64838e70d01b817ab9a

mipsel architecture (MIPS (Little Endian))

  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-dev_1.0.15-2.3+lenny1_mipsel.deb
    Size/MD5 checksum:   389284 7393c2e406358c4ff44f1936e77289bc
  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.15-2.3+lenny1_mipsel.deb
    Size/MD5 checksum:   666878 952824b8ef88116eecd9b6d8dc2eb7ab
  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.15-2.3+lenny1_mipsel.deb
    Size/MD5 checksum:  2107826 868569a1a13d5150d052f3f85a0c5b4b
  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.15-2.3+lenny1_mipsel.deb
    Size/MD5 checksum:   630902 26f8d04ed6cebb1cee2cdee0466e3828

powerpc architecture (PowerPC)

  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.15-2.3+lenny1_powerpc.deb
    Size/MD5 checksum:  2116926 83a20a035135c86165e90512e1616e17
  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.15-2.3+lenny1_powerpc.deb
    Size/MD5 checksum:   633850 378165eda8f93d5db9a9750eb388a3d7
  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-dev_1.0.15-2.3+lenny1_powerpc.deb
    Size/MD5 checksum:   389308 5706cb949dce54ed6bde511050c808db
  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.15-2.3+lenny1_powerpc.deb
    Size/MD5 checksum:   670056 5935a4928c82551b592a4ab7103d0305

sparc architecture (Sun SPARC/UltraSPARC)

  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-dev_1.0.15-2.3+lenny1_sparc.deb
    Size/MD5 checksum:   389286 d67b24f2a1ca1ae2dfa7aeed269ba1c5
  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.15-2.3+lenny1_sparc.deb
    Size/MD5 checksum:   595054 0ce7c504c0a218e95713084b6fbdd9d4
  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.15-2.3+lenny1_sparc.deb
    Size/MD5 checksum:   628466 5509951b4426e12912531c3f56e309ae
  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.15-2.3+lenny1_sparc.deb
    Size/MD5 checksum:  1906138 8eda92ca5dfb4239544a288ebd8e8230


  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@...ts.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkq6TkYACgkQ62zWxYk/rQf9WwCgtQFfyzvxMG27iAjtHw2SY7cZ
ouAAn2g8b0lXjAZGmQoiX0W9oXk4QsuE
=lSZ6
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ