lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20070828175839.GA24219@steve.org.uk>
Date: Tue, 28 Aug 2007 18:58:39 +0100
From: Steve Kemp <skx@...ian.org>
To: debian-security-announce@...ts.debian.org
Subject: [SECURITY] [DSA 1359-1] New dovecot packages fix
	directory traversal

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA 1359-1                  security@...ian.org
http://www.debian.org/security/                               Steve Kemp
August 28th, 2007                     http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package        : dovecot
Vulnerability  : directory traversal
Problem type   : remote
Debian-specific: no
CVE Id(s)      : CVE-2007-2231


It was discovered that dovecot, a secure mail server that supports mbox
and maildir mailboxes, when configured to use non-system-user spools
and compressed folders, may allow directory traversal in mailbox names.

For the stable distribution (etch), this problem has been fixed in
version 1.0.rc15-2etch1.

For the old stable distribution (sarge), this problem was not present.

For the unstable distribution this problem with be fixed soon.

We recommend that you upgrade your dovecot package.

Upgrade instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 4.0 alias etch
- --------------------------------

Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

  http://security.debian.org/pool/updates/main/d/dovecot/dovecot_1.0.rc15-2etch1.dsc
    Size/MD5 checksum:     1007 cde4bffef0b1c78324bc8adc6354eaa4
  http://security.debian.org/pool/updates/main/d/dovecot/dovecot_1.0.rc15.orig.tar.gz
    Size/MD5 checksum:  1463069 26f3d2b075856b1b1d180146363819e6
  http://security.debian.org/pool/updates/main/d/dovecot/dovecot_1.0.rc15-2etch1.diff.gz
    Size/MD5 checksum:    94823 fbf56611ccca44cee2a4663c8fbb56c0

alpha architecture (DEC Alpha)

  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch1_alpha.deb
    Size/MD5 checksum:   618818 3b125c8d36e45fede3d73464a5e7f12a
  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch1_alpha.deb
    Size/MD5 checksum:  1373836 97c909a2774519f3d04a33c74212cb05
  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch1_alpha.deb
    Size/MD5 checksum:   580708 d840ccd638850f72014e89641fbe9569

amd64 architecture (AMD x86_64 (AMD64))

  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch1_amd64.deb
    Size/MD5 checksum:   534118 8869870afff4eb25559457faece371d4
  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch1_amd64.deb
    Size/MD5 checksum:   568180 ebf3cfcb5343f48379ef14989a9482ef
  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch1_amd64.deb
    Size/MD5 checksum:  1224650 79fbf3019551461c68197a5e5f6a6620

arm architecture (ARM)

  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch1_arm.deb
    Size/MD5 checksum:  1116470 a3774a96d2daf2534613cd75e9044726
  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch1_arm.deb
    Size/MD5 checksum:   503858 45c610525a211f80462ee8a30b997b98
  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch1_arm.deb
    Size/MD5 checksum:   534534 e7af01554616f50b38b63e76a0035402

hppa architecture (HP PA RISC)

  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch1_hppa.deb
    Size/MD5 checksum:  1293812 b77e446a414f88c05aa073c663e1aff3
  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch1_hppa.deb
    Size/MD5 checksum:   596290 207bcda07cad9d263b4543c87788553d
  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch1_hppa.deb
    Size/MD5 checksum:   559686 bab920cd7543cfaea2a76e03cc087d51

i386 architecture (Intel ia32)

  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch1_i386.deb
    Size/MD5 checksum:  1127680 80fab6db53d353058b801e5ad42cd305
  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch1_i386.deb
    Size/MD5 checksum:   511940 b773c45daa6483d02af9f4f702a538f7
  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch1_i386.deb
    Size/MD5 checksum:   544082 d4685011b8c8359f849a2fc3f65cb0b3

ia64 architecture (Intel ia64)

  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch1_ia64.deb
    Size/MD5 checksum:   789702 84fb674f3f568db180c41cfb21088d5f
  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch1_ia64.deb
    Size/MD5 checksum:  1694430 e4c5c30e65312e92ec151d55f308c473
  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch1_ia64.deb
    Size/MD5 checksum:   733296 4b718887ebdcc88600999e0270e12ec0

mips architecture (MIPS (Big Endian))

  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch1_mips.deb
    Size/MD5 checksum:   593030 1af3fc78abbcf4f0c9aece1fad08b624
  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch1_mips.deb
    Size/MD5 checksum:   557018 3bcd83e867f03d1dfac558f1df1a7ca5
  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch1_mips.deb
    Size/MD5 checksum:  1258216 833f0f974dfe83db4d3cab0351f4c33b

mipsel architecture (MIPS (Little Endian))

  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch1_mipsel.deb
    Size/MD5 checksum:  1263156 b8c3335d051c0be6b2923f5e939594cd
  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch1_mipsel.deb
    Size/MD5 checksum:   592544 61b1b479bb89219e9493c8140913ff07
  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch1_mipsel.deb
    Size/MD5 checksum:   556560 67fd4d0ba283209202c0b4564a2ae74a

s390 architecture (IBM S/390)

  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch1_s390.deb
    Size/MD5 checksum:  1284486 5b39d3b4db4ab8f4360406037e118a88
  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch1_s390.deb
    Size/MD5 checksum:   592810 7361ea663e14012502c9821e9d2fdf70
  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch1_s390.deb
    Size/MD5 checksum:   557544 1dce29ac718f481894db452aef8c783d

sparc architecture (Sun SPARC/UltraSPARC)

  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch1_sparc.deb
    Size/MD5 checksum:  1103380 47e7f2cf8d8276ee941ab7332ad356ab
  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch1_sparc.deb
    Size/MD5 checksum:   531158 41e6f8e91ddc0bda4089aa1e1ac97432
  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch1_sparc.deb
    Size/MD5 checksum:   499596 4bdaaa9e12ef03ee5800c1b291970479


  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@...ts.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFG1GIhwM/Gs81MDZ0RAu2+AKClyc+Hp8T8rfMqjq5UaMnBYLo1BgCg3RHL
qAHaDowybNaXwDlnofswnAg=
=KY3M
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ