[<prev] [next>] [day] [month] [year] [list]
Message-Id: <20090923163610.2C93D848786@hannah.localdomain>
Date: Thu, 24 Sep 2009 02:36:10 +1000 (EST)
From: white@...ian.org (Steffen Joeris)
To: bugtraq@...urityfocus.com
Subject: [SECURITY] [DSA 1892-1] New dovecot packages fix arbitrary code execution
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- ------------------------------------------------------------------------
Debian Security Advisory DSA-1892-1 security@...ian.org
http://www.debian.org/security/ Giuseppe Iuculano
September 23, 2009 http://www.debian.org/security/faq
- ------------------------------------------------------------------------
Packages : dovecot
Vulnerability : buffer overflow
Problem type : local (remote)
Debian-specific: no
CVE IDs : CVE-2009-2632 CVE-2009-3235
Debian Bug : 546656
It was discovered that the SIEVE component of dovecot, a mail server
that supports mbox and maildir mailboxes, is vulnerable to a buffer
overflow when processing SIEVE scripts. This can be used to elevate
privileges to the dovecot system user. An attacker who is able to
install SIEVE scripts executed by the server is therefore able to read
and modify arbitrary email messages on the system.
For the oldstable distribution (etch), this problem has been fixed in version
1.0.rc15-2etch5.
For the stable distribution (lenny), this problem has been fixed in version
1:1.0.15-2.3+lenny1.
For the testing distribution (squeeze) and the unstable distribution
(sid), this problem has been fixed in version 1:1.2.1-1.
We recommend that you upgrade your dovecot packages.
Upgrade instructions
- --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 4.0 alias etch
- -------------------------------
Debian (oldstable)
- ------------------
Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
Source archives:
http://security.debian.org/pool/updates/main/d/dovecot/dovecot_1.0.rc15-2etch5.diff.gz
Size/MD5 checksum: 105496 25968ea91265d9c79869fd13e1cf18a7
http://security.debian.org/pool/updates/main/d/dovecot/dovecot_1.0.rc15.orig.tar.gz
Size/MD5 checksum: 1463069 26f3d2b075856b1b1d180146363819e6
http://security.debian.org/pool/updates/main/d/dovecot/dovecot_1.0.rc15-2etch5.dsc
Size/MD5 checksum: 1017 69660b4d8bd4c443a9e6a445cee73ae4
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch5_alpha.deb
Size/MD5 checksum: 583336 05cdd40c7eca4f076ebe18629d497b3b
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch5_alpha.deb
Size/MD5 checksum: 621512 58f8c92c7567a9c1ed6eee44979e7abf
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch5_alpha.deb
Size/MD5 checksum: 1378160 512ca0853d71066040c22daae6ff0e3a
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch5_amd64.deb
Size/MD5 checksum: 1224200 c43f474ed1a38e2b717463faf4a603a9
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch5_amd64.deb
Size/MD5 checksum: 536502 9bc2da44bcb81f7c1d5a3381bc02c950
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch5_amd64.deb
Size/MD5 checksum: 570646 7a5e8aa209ecee48bbc9daa5c5364788
arm architecture (ARM)
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch5_arm.deb
Size/MD5 checksum: 506574 6a4be002eaaf4932161c03ef9a170e72
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch5_arm.deb
Size/MD5 checksum: 537184 d5d095c9771afaacfbd863f2f37700f6
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch5_arm.deb
Size/MD5 checksum: 1118568 c884c1632c4e20d9b6636806d2039b29
hppa architecture (HP PA RISC)
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch5_hppa.deb
Size/MD5 checksum: 561854 1911ecd7f8336deb46986f3f37fae039
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch5_hppa.deb
Size/MD5 checksum: 1297502 a965f31d08deb751b26ca9a7b467aa9c
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch5_hppa.deb
Size/MD5 checksum: 600138 867931a360b0bfeea1f3e28dfb073bf7
i386 architecture (Intel ia32)
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch5_i386.deb
Size/MD5 checksum: 514726 e2fe7ef8a944f84d59c4d13c2583f37f
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch5_i386.deb
Size/MD5 checksum: 547040 41d4f84120825e06e41ff079dabd0429
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch5_i386.deb
Size/MD5 checksum: 1135076 3e11a2b0f46ce7452760264a478a07a2
ia64 architecture (Intel ia64)
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch5_ia64.deb
Size/MD5 checksum: 1702256 e292ef2a99bb7868fd131574b0dcb876
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch5_ia64.deb
Size/MD5 checksum: 737696 b3ee10e9ca9b771fb7f15ed508173628
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch5_ia64.deb
Size/MD5 checksum: 793994 888618682b965c75167249e9177aea29
mipsel architecture (MIPS (Little Endian))
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch5_mipsel.deb
Size/MD5 checksum: 558948 c42d2f897b76a5635d45bc196dbb1fdf
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch5_mipsel.deb
Size/MD5 checksum: 1268494 800381d4b15c5857dabe79e37fd1003a
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch5_mipsel.deb
Size/MD5 checksum: 595020 33ff0bc5c3755320bd209d4837742a1a
powerpc architecture (PowerPC)
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch5_powerpc.deb
Size/MD5 checksum: 1212206 dcef8ac28680d74ed0e3e2586cd3d056
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch5_powerpc.deb
Size/MD5 checksum: 569890 b549032c41f1a1f2de3a96a99a92b2e8
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch5_powerpc.deb
Size/MD5 checksum: 536100 1e073cad6b24f04f1d10e43c3c2b5c7f
s390 architecture (IBM S/390)
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch5_s390.deb
Size/MD5 checksum: 1290172 fc78f024c57fd97448a1cab449d97c26
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch5_s390.deb
Size/MD5 checksum: 595622 4f35eef9b7f47a5689f1a3bffb0b1496
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch5_s390.deb
Size/MD5 checksum: 559910 472231dbce114cf79838f7c34d0850b9
Debian GNU/Linux 5.0 alias lenny
- --------------------------------
Debian (stable)
- ---------------
Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
Source archives:
http://security.debian.org/pool/updates/main/d/dovecot/dovecot_1.0.15.orig.tar.gz
Size/MD5 checksum: 1783347 aa39c11c18df6b95b64d4f04d793d77a
http://security.debian.org/pool/updates/main/d/dovecot/dovecot_1.0.15-2.3+lenny1.dsc
Size/MD5 checksum: 1614 d0b83408d8c8324fdfa03b80cdbed4f6
http://security.debian.org/pool/updates/main/d/dovecot/dovecot_1.0.15-2.3+lenny1.diff.gz
Size/MD5 checksum: 216038 45614e66070551b80bcbd803113f22d6
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-dev_1.0.15-2.3+lenny1_alpha.deb
Size/MD5 checksum: 389244 a5b09618e986ca9e9181ce1ae3ec693e
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.15-2.3+lenny1_alpha.deb
Size/MD5 checksum: 669230 3e0622750be09c51dae2b0ffee7d015c
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.15-2.3+lenny1_alpha.deb
Size/MD5 checksum: 2309838 6f608b22a263d8f5ef8768bbe7a728a6
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.15-2.3+lenny1_alpha.deb
Size/MD5 checksum: 709292 6c68631fa3541bc48ca897d98e498274
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-dev_1.0.15-2.3+lenny1_amd64.deb
Size/MD5 checksum: 390826 7386cae0c224a81a3a69a4c59dc53b1b
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.15-2.3+lenny1_amd64.deb
Size/MD5 checksum: 632604 4f8004c08a2d8c56907571b015f279d8
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.15-2.3+lenny1_amd64.deb
Size/MD5 checksum: 669682 3ffaccbe054991901b258c204a59bd07
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.15-2.3+lenny1_amd64.deb
Size/MD5 checksum: 2106030 bde9f3caac387c20b423d71c3213aaac
arm architecture (ARM)
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.15-2.3+lenny1_arm.deb
Size/MD5 checksum: 620406 34980793a3cf093446b18614880d7c4d
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-dev_1.0.15-2.3+lenny1_arm.deb
Size/MD5 checksum: 390376 60ee2b17f10334253ea32654e741b006
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.15-2.3+lenny1_arm.deb
Size/MD5 checksum: 588296 12f73940ba5583e6c81a38a9d6663cdf
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.15-2.3+lenny1_arm.deb
Size/MD5 checksum: 1901028 3c23a98d1f07817db4a314865243ae13
armel architecture (ARM EABI)
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-dev_1.0.15-2.3+lenny1_armel.deb
Size/MD5 checksum: 391168 8049082b57c86d865d51679db193d5fa
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.15-2.3+lenny1_armel.deb
Size/MD5 checksum: 626970 2bcd781a52cac6cf397b5df9e1e144b1
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.15-2.3+lenny1_armel.deb
Size/MD5 checksum: 594616 1515c12da34869de4f5616fe6143aee0
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.15-2.3+lenny1_armel.deb
Size/MD5 checksum: 1932436 63c7c48a798aeb72d11b622057eb6ad5
hppa architecture (HP PA RISC)
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-dev_1.0.15-2.3+lenny1_hppa.deb
Size/MD5 checksum: 390606 ab3bd158a5930daad61b9dffb3bb130e
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.15-2.3+lenny1_hppa.deb
Size/MD5 checksum: 638882 e3ec95e636c33c400266c5419e18e864
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.15-2.3+lenny1_hppa.deb
Size/MD5 checksum: 677942 808cfe06b6b4325b9ea13008d35918b2
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.15-2.3+lenny1_hppa.deb
Size/MD5 checksum: 2162538 3f41711076b008bc16ee08e7e822f703
i386 architecture (Intel ia32)
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.15-2.3+lenny1_i386.deb
Size/MD5 checksum: 1938596 0113ec4318618383c6945ad66ac457ab
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.15-2.3+lenny1_i386.deb
Size/MD5 checksum: 602896 93b9ffb25946df4200203a236839d967
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.15-2.3+lenny1_i386.deb
Size/MD5 checksum: 636970 40f7a7785597f69f39991c35865c1df8
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-dev_1.0.15-2.3+lenny1_i386.deb
Size/MD5 checksum: 390674 615f9e862c4c2b14db2fbed7f3a0089f
ia64 architecture (Intel ia64)
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.15-2.3+lenny1_ia64.deb
Size/MD5 checksum: 878572 21ea3f8af009b4c0668310a1d42ff6e8
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.15-2.3+lenny1_ia64.deb
Size/MD5 checksum: 2857622 5710f0fe4c677388e61268c1b6d28a9a
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-dev_1.0.15-2.3+lenny1_ia64.deb
Size/MD5 checksum: 389246 afaa27855049264e8d1bc6272c619c68
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.15-2.3+lenny1_ia64.deb
Size/MD5 checksum: 818126 94b7b844dfb2d352901a0570dcc9446a
mips architecture (MIPS (Big Endian))
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-dev_1.0.15-2.3+lenny1_mips.deb
Size/MD5 checksum: 389274 39038f291d9e447928d0ce4cc69547f8
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.15-2.3+lenny1_mips.deb
Size/MD5 checksum: 631574 6c011d890fb624ab2fb42f9d531c56c6
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.15-2.3+lenny1_mips.deb
Size/MD5 checksum: 2104730 a5c2b94943df80bb457afdb7ebdd1047
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.15-2.3+lenny1_mips.deb
Size/MD5 checksum: 668110 027bdd8d539ad64838e70d01b817ab9a
mipsel architecture (MIPS (Little Endian))
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-dev_1.0.15-2.3+lenny1_mipsel.deb
Size/MD5 checksum: 389284 7393c2e406358c4ff44f1936e77289bc
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.15-2.3+lenny1_mipsel.deb
Size/MD5 checksum: 666878 952824b8ef88116eecd9b6d8dc2eb7ab
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.15-2.3+lenny1_mipsel.deb
Size/MD5 checksum: 2107826 868569a1a13d5150d052f3f85a0c5b4b
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.15-2.3+lenny1_mipsel.deb
Size/MD5 checksum: 630902 26f8d04ed6cebb1cee2cdee0466e3828
powerpc architecture (PowerPC)
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.15-2.3+lenny1_powerpc.deb
Size/MD5 checksum: 2116926 83a20a035135c86165e90512e1616e17
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.15-2.3+lenny1_powerpc.deb
Size/MD5 checksum: 633850 378165eda8f93d5db9a9750eb388a3d7
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-dev_1.0.15-2.3+lenny1_powerpc.deb
Size/MD5 checksum: 389308 5706cb949dce54ed6bde511050c808db
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.15-2.3+lenny1_powerpc.deb
Size/MD5 checksum: 670056 5935a4928c82551b592a4ab7103d0305
sparc architecture (Sun SPARC/UltraSPARC)
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-dev_1.0.15-2.3+lenny1_sparc.deb
Size/MD5 checksum: 389286 d67b24f2a1ca1ae2dfa7aeed269ba1c5
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.15-2.3+lenny1_sparc.deb
Size/MD5 checksum: 595054 0ce7c504c0a218e95713084b6fbdd9d4
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.15-2.3+lenny1_sparc.deb
Size/MD5 checksum: 628466 5509951b4426e12912531c3f56e309ae
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.15-2.3+lenny1_sparc.deb
Size/MD5 checksum: 1906138 8eda92ca5dfb4239544a288ebd8e8230
These files will probably be moved into the stable distribution on
its next update.
- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@...ts.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAkq6TkYACgkQ62zWxYk/rQf9WwCgtQFfyzvxMG27iAjtHw2SY7cZ
ouAAn2g8b0lXjAZGmQoiX0W9oXk4QsuE
=lSZ6
-----END PGP SIGNATURE-----
Powered by blists - more mailing lists