DSA 1080-1: New dovecot packages fix directory traversal
Posted on: 05/29/2006 08:12 AM

The Debian Security Team published a new security update for Debian GNU/Linux. Here the announcement:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 1080-1 security@debian.org
http://www.debian.org/security/ Steve Kemp
May 29th, 2006 http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package : dovecot
Vulnerability : programming error
Problem type : remote
Debian-specific: no
CVE ID : CVE-2006-2414

A problem has been discovered in the IMAP component of Dovecot, a
secure mail server that supports mbox and maildir mailboxes, which can
lead to information disclosure via directory traversal by
authenticated users.

The old stable distribution (woody) is not affected by this problem.

For the stable distribution (sarge) this problem has been fixed in
version 0.99.14-1sarge0.

For the unstable distribution (sid) this problem has been fixed in
version 1.0beta8-1.

We recommend that you upgrade your dovecot-imapd package.


Upgrade Instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given at the end of this advisory:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.1 alias sarge
- --------------------------------

Source archives:

http://security.debian.org/pool/updates/main/d/dovecot/dovecot_0.99.14-1sarge0.dsc
Size/MD5 checksum: 760 5365f712ee15d1c3b825af2ef95f583e
http://security.debian.org/pool/updates/main/d/dovecot/dovecot_0.99.14-1sarge0.diff.gz
Size/MD5 checksum: 26557 e30859421db7ebe8478dacb02110f3f0
http://security.debian.org/pool/updates/main/d/dovecot/dovecot_0.99.14.orig.tar.gz
Size/MD5 checksum: 871285 a12e26fd378a46c31ec3a81ab7b55b5b

Architecture independent components:

http://security.debian.org/pool/updates/main/d/dovecot/dovecot_0.99.14-1sarge0_all.deb
Size/MD5 checksum: 7516 b6813e75e60e5094ac114fcc198d2ea2

Alpha architecture:

http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_0.99.14-1sarge0_alpha.deb
Size/MD5 checksum: 283796 06751f47fe61b4f9fd410cd055288be2
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_0.99.14-1sarge0_alpha.deb
Size/MD5 checksum: 364838 e6e564cf60e92b4bd12f5209f56ed4c1
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_0.99.14-1sarge0_alpha.deb
Size/MD5 checksum: 331290 e6bf35a49d23636b53378e996ce9c1d2

AMD64 architecture:

http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_0.99.14-1sarge0_amd64.deb
Size/MD5 checksum: 258846 990b811364af83c3223e6a733fb6856b
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_0.99.14-1sarge0_amd64.deb
Size/MD5 checksum: 311520 642e17490997baa93857b282c4b13f7a
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_0.99.14-1sarge0_amd64.deb
Size/MD5 checksum: 285308 6ea57ba9b419b77964812a93f959b98c

ARM architecture:

http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_0.99.14-1sarge0_arm.deb
Size/MD5 checksum: 244796 64574178089a5c8ee75912adbe0aaf33
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_0.99.14-1sarge0_arm.deb
Size/MD5 checksum: 289624 5d4b172a52f4f23d9702348d03b35ff3
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_0.99.14-1sarge0_arm.deb
Size/MD5 checksum: 265496 3284fc52fd054f5545e8327cc0d39e7a

Intel IA-32 architecture:

http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_0.99.14-1sarge0_i386.deb
Size/MD5 checksum: 245230 ba2e1bccd3d12180c2ec50d41102dde7
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_0.99.14-1sarge0_i386.deb
Size/MD5 checksum: 292656 00c0245e231a07bc05104c2b3113951b
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_0.99.14-1sarge0_i386.deb
Size/MD5 checksum: 268158 9c061cc01ca82178530b6c47aad1120c

Intel IA-64 architecture:

http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_0.99.14-1sarge0_ia64.deb
Size/MD5 checksum: 308824 fab290d2d317aa96a0111129214cf05e
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_0.99.14-1sarge0_ia64.deb
Size/MD5 checksum: 429626 287f26ebef5de68a0867ef38fcba4aa0
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_0.99.14-1sarge0_ia64.deb
Size/MD5 checksum: 389276 f4cc53876bae4f3780eeb89465700c8f

HP Precision architecture:

http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_0.99.14-1sarge0_hppa.deb
Size/MD5 checksum: 263982 2fefd32583dfff8410dbe14bc32c9771
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_0.99.14-1sarge0_hppa.deb
Size/MD5 checksum: 329758 1375b56509aee5b605ef3a290469d43c
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_0.99.14-1sarge0_hppa.deb
Size/MD5 checksum: 301158 504332dbc815999c61b48d3eac4fb7a3

Motorola 680x0 architecture:

http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_0.99.14-1sarge0_m68k.deb
Size/MD5 checksum: 234130 a45c037148354769c27892781267485a
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_0.99.14-1sarge0_m68k.deb
Size/MD5 checksum: 265658 a37e2a5eaa09a604dda421fafbd26b0c
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_0.99.14-1sarge0_m68k.deb
Size/MD5 checksum: 243988 648469b9fdc01db53d142388b8cc2455

Big endian MIPS architecture:

http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_0.99.14-1sarge0_mips.deb
Size/MD5 checksum: 266612 709081de9bbd89abf7e604415c084336
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_0.99.14-1sarge0_mips.deb
Size/MD5 checksum: 335312 cd3c144f32e7e2f8b051c4038729d0db
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_0.99.14-1sarge0_mips.deb
Size/MD5 checksum: 306346 324926cc8cd59c1752c28a5a5e3c82f0

Little endian MIPS architecture:

http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_0.99.14-1sarge0_mipsel.deb
Size/MD5 checksum: 266570 cf6172ff278d730828743d8d5c225c30
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_0.99.14-1sarge0_mipsel.deb
Size/MD5 checksum: 335318 48895c1e7d38310df3438b06c0bd0255
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_0.99.14-1sarge0_mipsel.deb
Size/MD5 checksum: 306390 0ad05fa2956bf634ab4ee5cb644f6776

PowerPC architecture:

http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_0.99.14-1sarge0_powerpc.deb
Size/MD5 checksum: 256774 4545dd863436ac5725b98dbfec1cd25e
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_0.99.14-1sarge0_powerpc.deb
Size/MD5 checksum: 313862 2df352eced7aff6eda4e6e516b94c402
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_0.99.14-1sarge0_powerpc.deb
Size/MD5 checksum: 286772 06b25b73ede373b9b9bda930dc4afef9

IBM S/390 architecture:

http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_0.99.14-1sarge0_s390.deb
Size/MD5 checksum: 265964 9b18cdf5194db5a614e98c1a2e14f176
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_0.99.14-1sarge0_s390.deb
Size/MD5 checksum: 325310 a732511d63ed64239df43d09c0cd1afd
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_0.99.14-1sarge0_s390.deb
Size/MD5 checksum: 297864 ebcf6c73b0b94f6b9fee1c85a04f4824

Sun Sparc architecture:

http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_0.99.14-1sarge0_sparc.deb
Size/MD5 checksum: 244540 87bb459d4c1eb6ed335dd57fee3fed0c
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_0.99.14-1sarge0_sparc.deb
Size/MD5 checksum: 291136 5abab794ab7a53e83190a38a7185e648
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_0.99.14-1sarge0_sparc.deb
Size/MD5 checksum: 266018 c63b900e49e4769200aef6db7b6bccf0


These files will probably be moved into the stable distribution on
its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show lt;pkggt;' and http://packages.debian.org/lt;pkggt;

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEep0/W5ql+IAeqTIRArPKAJ97LqMoapV3aqi/I5v8TI6Of3Oa7wCeLfmf
uCktCQh0gxg44eK9g3IVaGA=
=LHtI
-----END PGP SIGNATURE-----



Printed from Linux Compatible (http://www.linuxcompatible.org/news/story/dsa_1080_1_new_dovecot_packages_fix_directory_traversal.html)