lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <1254144241.4260.0.camel@mdlinux.technorage.com>
Date: Mon, 28 Sep 2009 09:24:01 -0400
From: Marc Deslauriers <marc.deslauriers@...onical.com>
To: ubuntu-security-announce@...ts.ubuntu.com
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: [USN-838-1] Dovecot vulnerabilities

===========================================================
Ubuntu Security Notice USN-838-1         September 28, 2009
dovecot vulnerabilities
CVE-2008-4577, CVE-2008-5301, CVE-2009-2632, CVE-2009-3235
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 8.04 LTS
Ubuntu 8.10
Ubuntu 9.04

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 8.04 LTS:
  dovecot-common                  1:1.0.10-1ubuntu5.2

Ubuntu 8.10:
  dovecot-common                  1:1.1.4-0ubuntu1.3

Ubuntu 9.04:
  dovecot-common                  1:1.1.11-0ubuntu4.1

In general, a standard system upgrade is sufficient to effect the
necessary changes.

Details follow:

It was discovered that the ACL plugin in Dovecot would incorrectly handle
negative access rights. An attacker could exploit this flaw to access the
Dovecot server, bypassing the indended access restrictions. This only
affected Ubuntu 8.04 LTS. (CVE-2008-4577)

It was discovered that the ManageSieve service in Dovecot incorrectly
handled ".." in script names. A remote attacker could exploit this to read
and modify arbitrary sieve files on the server. This only affected Ubuntu
8.10. (CVE-2008-5301)

It was discovered that the Sieve plugin in Dovecot incorrectly handled
certain sieve scripts. An authenticated user could exploit this with a
crafted sieve script to cause a denial of service or possibly execute
arbitrary code. (CVE-2009-2632, CVE-2009-3235)


Updated packages for Ubuntu 8.04 LTS:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_1.0.10-1ubuntu5.2.diff.gz
      Size/MD5:   407785 8bab610c8eaa3d584251f43f589458ef
    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_1.0.10-1ubuntu5.2.dsc
      Size/MD5:     1295 381a3267d0258419fee8f054ee5bcd13
    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_1.0.10.orig.tar.gz
      Size/MD5:  1797790 c050fa2a7dae8984d432595e3e8183e1

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-common_1.0.10-1ubuntu5.2_amd64.deb
      Size/MD5:  1838902 c0bd69b04f49b20bdbe7e2c830660e04
    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-dev_1.0.10-1ubuntu5.2_amd64.deb
      Size/MD5:   387834 b6a474d722d36ca98e2790954304d249
    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-imapd_1.0.10-1ubuntu5.2_amd64.deb
      Size/MD5:   662814 ab6309638125fabe5752177671b3f8b3
    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-pop3d_1.0.10-1ubuntu5.2_amd64.deb
      Size/MD5:   625852 ce40fd95a9dc4bcc60c1b0c473a5e117

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-common_1.0.10-1ubuntu5.2_i386.deb
      Size/MD5:  1695832 b1c5df762f681ee1c6ab3a9903ff367a
    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-dev_1.0.10-1ubuntu5.2_i386.deb
      Size/MD5:   387848 d00535e76b28f9622ea77c36c69b808d
    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-imapd_1.0.10-1ubuntu5.2_i386.deb
      Size/MD5:   629748 61cb4fda4aa29fce1bf326522bbb2dda
    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-pop3d_1.0.10-1ubuntu5.2_i386.deb
      Size/MD5:   596084 d97fb54aba0f43f014f9e1dfd6404456

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-common_1.0.10-1ubuntu5.2_lpia.deb
      Size/MD5:  1689932 e20d72de31679d4698caaa2d3fd92ebb
    http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-dev_1.0.10-1ubuntu5.2_lpia.deb
      Size/MD5:   387846 34903b7cdb220e85978c6483c7f09848
    http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-imapd_1.0.10-1ubuntu5.2_lpia.deb
      Size/MD5:   630210 7238a78a55f787251facd75cc3a15539
    http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-pop3d_1.0.10-1ubuntu5.2_lpia.deb
      Size/MD5:   596564 f969a0ee5a2de65dee4e81de9c103622

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-common_1.0.10-1ubuntu5.2_powerpc.deb
      Size/MD5:  1859284 96619941551bb690e56d6604972370da
    http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-dev_1.0.10-1ubuntu5.2_powerpc.deb
      Size/MD5:   387880 cf175dd90cf5b677f55106c4e680ed9b
    http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-imapd_1.0.10-1ubuntu5.2_powerpc.deb
      Size/MD5:   669752 2b3b052e0d9703b41886c57793e7d1d6
    http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-pop3d_1.0.10-1ubuntu5.2_powerpc.deb
      Size/MD5:   633286 d87398d7e70d3eaf53e2c6fdd8652c5b

  sparc architecture (Sun SPARC/UltraSPARC):

    http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-common_1.0.10-1ubuntu5.2_sparc.deb
      Size/MD5:  1688040 38f3316086f8e23d3894a3391d5e1a4d
    http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-dev_1.0.10-1ubuntu5.2_sparc.deb
      Size/MD5:   387864 ddb730f73fa997e160fc5cecb33849fa
    http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-imapd_1.0.10-1ubuntu5.2_sparc.deb
      Size/MD5:   626886 6f8101225f556210c487c1b893aa639e
    http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-pop3d_1.0.10-1ubuntu5.2_sparc.deb
      Size/MD5:   593772 ea19773a3574702074ae05e30bdb248a

Updated packages for Ubuntu 8.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_1.1.4-0ubuntu1.3.diff.gz
      Size/MD5:   928070 e0aa195d3428177fe9411548751772bd
    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_1.1.4-0ubuntu1.3.dsc
      Size/MD5:     1631 9c08ffd5652cfb1773f44e124d13ca61
    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_1.1.4.orig.tar.gz
      Size/MD5:  2314155 0050dd609cb456c8e52565a85373df28

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-common_1.1.4-0ubuntu1.3_amd64.deb
      Size/MD5:  3741952 0b0cfe3678735916771b36e5ec160e06
    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-dev_1.1.4-0ubuntu1.3_amd64.deb
      Size/MD5:   550040 1917dfa8998eb7ca66ca3976bda173e1
    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-imapd_1.1.4-0ubuntu1.3_amd64.deb
      Size/MD5:   950536 17d646723188b605fa3a3049498fe4ff
    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-pop3d_1.1.4-0ubuntu1.3_amd64.deb
      Size/MD5:   905584 f387f84340a9504321524219474fa147

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-common_1.1.4-0ubuntu1.3_i386.deb
      Size/MD5:  3517356 7e0152635e337f3270880854fd6c9915
    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-dev_1.1.4-0ubuntu1.3_i386.deb
      Size/MD5:   550052 13bf7c6602410ef8f36e12a0ad9acfa2
    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-imapd_1.1.4-0ubuntu1.3_i386.deb
      Size/MD5:   921792 417d56c7b938c795e55f49900e915b3b
    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-pop3d_1.1.4-0ubuntu1.3_i386.deb
      Size/MD5:   875792 09ff4ebec07209aa3a6c8e4948a9fdef

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-common_1.1.4-0ubuntu1.3_lpia.deb
      Size/MD5:  3462178 1069f6a2dba50c0ca051f6729d5b690c
    http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-dev_1.1.4-0ubuntu1.3_lpia.deb
      Size/MD5:   550044 ff2f07f9bf2e2790dfa3a0bb179f9818
    http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-imapd_1.1.4-0ubuntu1.3_lpia.deb
      Size/MD5:   913898 a9b186e1376c95035149e03cb6304f06
    http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-pop3d_1.1.4-0ubuntu1.3_lpia.deb
      Size/MD5:   869782 3100c863e91d39871bbef95eb90fc5d2

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-common_1.1.4-0ubuntu1.3_powerpc.deb
      Size/MD5:  3809458 549f771da3cc47778cf39cd136fb31ea
    http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-dev_1.1.4-0ubuntu1.3_powerpc.deb
      Size/MD5:   550068 a7684b6f8de2bdc0779e3f1909a71ddd
    http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-imapd_1.1.4-0ubuntu1.3_powerpc.deb
      Size/MD5:   967808 ac60bc51b60709e87c16e1a89b4d86a4
    http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-pop3d_1.1.4-0ubuntu1.3_powerpc.deb
      Size/MD5:   917878 1a97248a18f853868f79a647baddadf9

  sparc architecture (Sun SPARC/UltraSPARC):

    http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-common_1.1.4-0ubuntu1.3_sparc.deb
      Size/MD5:  3504892 2f9769dba2217da279734406fc4f7598
    http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-dev_1.1.4-0ubuntu1.3_sparc.deb
      Size/MD5:   550104 785e41269e14f2dc8259b4c50d7521f5
    http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-imapd_1.1.4-0ubuntu1.3_sparc.deb
      Size/MD5:   919240 32d5e97daaac4a485a73e1c2deb4b12a
    http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-pop3d_1.1.4-0ubuntu1.3_sparc.deb
      Size/MD5:   872784 ba89567df97c5852802dee8664592440

Updated packages for Ubuntu 9.04:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_1.1.11-0ubuntu4.1.diff.gz
      Size/MD5:   933389 e69b949ee26b6f2d59549c14f473ff36
    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_1.1.11-0ubuntu4.1.dsc
      Size/MD5:     1655 55553d872f13646ee67923675ba5aeca
    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_1.1.11.orig.tar.gz
      Size/MD5:  2362415 c973eb41aca79fb16630a16f0d84f765

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-postfix_1.1.11-0ubuntu4.1_all.deb
      Size/MD5:    22572 dc5219ed120e1541596d327ea3c5bb25

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-common_1.1.11-0ubuntu4.1_amd64.deb
      Size/MD5:  3708084 016223dc6893ecf7e87d269f49125e58
    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-dev_1.1.11-0ubuntu4.1_amd64.deb
      Size/MD5:   565074 1d847edeba4f72d6bc849af74facb327
    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-imapd_1.1.11-0ubuntu4.1_amd64.deb
      Size/MD5:   969828 7f4fae28f42007ddc221cb17a4698b46
    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-pop3d_1.1.11-0ubuntu4.1_amd64.deb
      Size/MD5:   925688 079c721b1076d1e0fbe207250acaac2f

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-common_1.1.11-0ubuntu4.1_i386.deb
      Size/MD5:  3489560 4891c8aaa08191613a910abca4004807
    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-dev_1.1.11-0ubuntu4.1_i386.deb
      Size/MD5:   565088 205baabd1480d8dc192ad8664806d79f
    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-imapd_1.1.11-0ubuntu4.1_i386.deb
      Size/MD5:   939976 51b85c21d6985a0179ae400f150bbc43
    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-pop3d_1.1.11-0ubuntu4.1_i386.deb
      Size/MD5:   896494 c509b3e8e4f33a7b89b09fe898aa0a26

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-common_1.1.11-0ubuntu4.1_lpia.deb
      Size/MD5:  3438158 00fd839575485921909b33205279f434
    http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-dev_1.1.11-0ubuntu4.1_lpia.deb
      Size/MD5:   565062 3f97b5355509275f1e895a2f8f2548b1
    http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-imapd_1.1.11-0ubuntu4.1_lpia.deb
      Size/MD5:   932192 69836d9eb88460c42f5fdea61a6e70aa
    http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-pop3d_1.1.11-0ubuntu4.1_lpia.deb
      Size/MD5:   890114 c23e4311d013a7416392a2c2c28c2144

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-common_1.1.11-0ubuntu4.1_powerpc.deb
      Size/MD5:  3780660 bab41c6fcbcdf7e2f39d32f27e090ec3
    http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-dev_1.1.11-0ubuntu4.1_powerpc.deb
      Size/MD5:   565124 b3d5cc8886c6be0b4c538c3204cb6cef
    http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-imapd_1.1.11-0ubuntu4.1_powerpc.deb
      Size/MD5:   987250 7a018b6c36747bde9d1cff6eb79a7a5d
    http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-pop3d_1.1.11-0ubuntu4.1_powerpc.deb
      Size/MD5:   938730 c3a8c128308f0b1212300a0a2121ca43

  sparc architecture (Sun SPARC/UltraSPARC):

    http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-common_1.1.11-0ubuntu4.1_sparc.deb
      Size/MD5:  3473282 d20e674b6c5fff91f20a75182b836664
    http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-dev_1.1.11-0ubuntu4.1_sparc.deb
      Size/MD5:   565124 d9abbe6098367fbdb0cb75c58197edab
    http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-imapd_1.1.11-0ubuntu4.1_sparc.deb
      Size/MD5:   936990 62c55214cbb59c52e6df64a599135b28
    http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-pop3d_1.1.11-0ubuntu4.1_sparc.deb
      Size/MD5:   893462 c613a178367b122aa0a4ef525f9f55e8




Download attachment "signature.asc" of type "application/pgp-signature" (198 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ