lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1L2u9Y-0007ri-Gp@titan.mandriva.com>
Date: Wed, 19 Nov 2008 14:00:00 -0700
From: security@...driva.com
To: full-disclosure@...ts.grok.org.uk
Subject: [ MDVSA-2008:232 ] dovecot


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2008:232
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : dovecot
 Date    : November 19, 2008
 Affected: 2009.0
 _______________________________________________________________________

 Problem Description:

 The ACL plugin in dovecot prior to version 1.1.4 treated negative
 access rights as though they were positive access rights, which allowed
 attackers to bypass intended access restrictions (CVE-2008-4577).
 
 The ACL plugin in dovecot prior to version 1.1.6 allowed attackers to
 bypass intended access restrictions by using the 'k' right to create
 unauthorized 'parent/child/child' mailboxes (CVE-2008-4578).
 
 In addition, two bugs were discovered in the dovecot package shipped
 with Mandriva Linux 2009.0. The default permissions on the dovecot.conf
 configuration file were too restrictive, which prevents the use of
 dovecot's 'deliver' command as a non-root user. Secondly, dovecot
 should not start until after ntpd, if ntpd is active, because if ntpd
 corrects the time backwards while dovecot is running, dovecot will
 quit automatically, with the log message 'Time just moved backwards
 by X seconds. This might cause a lot of problems, so I'll just kill
 myself now.' The update resolves both these problems. The default
 permissions on dovecot.conf now allow the 'deliver' command to read the
 file. Note that if you edited dovecot.conf at all prior to installing
 the update, the new permissions may not be applied. If you find the
 'deliver' command still does not work following the update, please
 run these commands as root:
 
  # chmod 0640 /etc/dovecot.conf
  # chown root:mail /etc/dovecot.conf
 
 Dovecot's initialization script now configures it to start after the
 ntpd service, to ensure ntpd resetting the clock does not interfere
 with Dovecot operation.
 
 This package corrects the above-noted bugs and security issues by
 upgrading to the latest dovecot 1.1.6, which also provides additional
 bug fixes.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4577
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4578
 https://qa.mandriva.com/44926
 _______________________________________________________________________

 Updated Packages:

 Mandriva Linux 2009.0:
 437fcab249d5274b3101bb7c953c2a79  2009.0/i586/dovecot-1.1.6-0.1mdv2009.0.i586.rpm
 0ca908249ab050c56e61dadfd0fb1c33  2009.0/i586/dovecot-devel-1.1.6-0.1mdv2009.0.i586.rpm
 48b2d085ef9a6a1c1dfcb55f3af6090b  2009.0/i586/dovecot-plugins-gssapi-1.1.6-0.1mdv2009.0.i586.rpm
 8698367ab382293be85e3e7fb65b38ca  2009.0/i586/dovecot-plugins-ldap-1.1.6-0.1mdv2009.0.i586.rpm 
 c2878a5f597b8a9f66605df32cf65a06  2009.0/SRPMS/dovecot-1.1.6-0.1mdv2009.0.src.rpm

 Mandriva Linux 2009.0/X86_64:
 1c4936b072f401ea2c94c6c7b3d6b427  2009.0/x86_64/dovecot-1.1.6-0.1mdv2009.0.x86_64.rpm
 5d869999de273e36c8bda186fb2610a0  2009.0/x86_64/dovecot-devel-1.1.6-0.1mdv2009.0.x86_64.rpm
 9bc71b93dce1b7995039e0cbf7623803  2009.0/x86_64/dovecot-plugins-gssapi-1.1.6-0.1mdv2009.0.x86_64.rpm
 264aaf2cbec7ef2ea7071f14b6bf174a  2009.0/x86_64/dovecot-plugins-ldap-1.1.6-0.1mdv2009.0.x86_64.rpm 
 c2878a5f597b8a9f66605df32cf65a06  2009.0/SRPMS/dovecot-1.1.6-0.1mdv2009.0.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFJJFP0mqjQ0CJFipgRAuoeAJ0WfJeaYMYjf3AqlqNMB5bgLqLUyACfVeUw
J+LV2A2JkunA7NIvHpNp96M=
=mVwB
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ