USN-567-1: Dovecot vulnerability
Posted on: 01/10/2008 11:15 PM

A new Dovecot vulnerability update is available for Ubuntu Linux. Here the announcement:

Ubuntu Security Notice USN-567-1 January 10, 2008
dovecot vulnerability
CVE-2007-6598
==========================
==========================
=========

A security issue affects the following Ubuntu releases:

Ubuntu 7.04
Ubuntu 7.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 7.04:
dovecot-imapd 1.0.rc17-1ubuntu2.2
dovecot-pop3d 1.0.rc17-1ubuntu2.2

Ubuntu 7.10:
dovecot-imapd 1:1.0.5-1ubuntu2.1
dovecot-pop3d 1:1.0.5-1ubuntu2.1

In general, a standard system upgrade is sufficient to effect the
necessary changes.

Details follow:

It was discovered that in very rare configurations using LDAP, Dovecot may
reuse cached connections for users with the same password. As a result,
a user may be able to login as another if the connection is reused.
The default Ubuntu configuration of Dovecot was not vulnerable.


Updated packages for Ubuntu 7.04:

Source archives:

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_1.0.rc17-=
1ubuntu2.2.diff.gz
Size/MD5: 101513 3a05fe3f2bdcd39c32e0a650b61c9b18
http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_1.0.rc17-=
1ubuntu2.2.dsc
Size/MD5: 1100 89b4ea9a138396356ce51947d4a958b8
http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_1.0.rc17.=
orig.tar.gz
Size/MD5: 1512386 881bcc7d2c8fba6d337f3e616a602bf7

amd64 architecture (Athlon64, Opteron, EM64T Xeon):

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-common_1.=
0.rc17-1ubuntu2.2_amd64.deb
Size/MD5: 1274744 7c4aea65aa4b2c8360ca296e4c7dd11b
http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-imapd_1.0=
.rc17-1ubuntu2.2_amd64.deb
Size/MD5: 586662 3a4c663dd70057ff8a559512880f88b5
http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-pop3d_1.0=
.rc17-1ubuntu2.2_amd64.deb
Size/MD5: 552404 d3c2ce0c2eb3aa58f8b17dad3fc4ee8f

i386 architecture (x86 compatible Intel/AMD):

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-common_1.=
0.rc17-1ubuntu2.2_i386.deb
Size/MD5: 1164784 517cb8721acce093e3435565a2163a0e
http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-imapd_1.0=
.rc17-1ubuntu2.2_i386.deb
Size/MD5: 554298 eb6fbeeeee1889303647318298ad5150
http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-pop3d_1.0=
.rc17-1ubuntu2.2_i386.deb
Size/MD5: 521626 a82bae1bb6e26289a91166bc77f1a23b

powerpc architecture (Apple Macintosh G3/G4/G5):

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-common_1.=
0.rc17-1ubuntu2.2_powerpc.deb
Size/MD5: 1291322 a4df46fd2fac7456d425bf66b5862188
http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-imapd_1.0=
.rc17-1ubuntu2.2_powerpc.deb
Size/MD5: 591040 a27429b620664c82ada26d6cbfafcbc5
http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-pop3d_1.0=
.rc17-1ubuntu2.2_powerpc.deb
Size/MD5: 556188 16c2bdae0d14a402644c8c58439fa75c

sparc architecture (Sun SPARC/UltraSPARC):

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-common_1.=
0.rc17-1ubuntu2.2_sparc.deb
Size/MD5: 1158252 875a51f7b4ee7c81ada93481e2fc7487
http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-imapd_1.0=
.rc17-1ubuntu2.2_sparc.deb
Size/MD5: 549596 75f43e94538ed72b7342b3ed00ba6005
http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-pop3d_1.0=
.rc17-1ubuntu2.2_sparc.deb
Size/MD5: 517136 7a6bc0cd8bbf73514d54624431e8c1b3

Updated packages for Ubuntu 7.10:

Source archives:

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_1.0.5-1ub=
untu2.1.diff.gz
Size/MD5: 107642 9e04e08b57194364c8248332817049e3
http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_1.0.5-1ub=
untu2.1.dsc
Size/MD5: 1115 0e95044d51301ec964cf96bda69f1a0a
http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_1.0.5.ori=
g.tar.gz
Size/MD5: 1775898 94b7d29cf44f63f89d538361afa05c40

amd64 architecture (Athlon64, Opteron, EM64T Xeon):

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-common_1.=
0.5-1ubuntu2.1_amd64.deb
Size/MD5: 1814690 3c1b2d9247c7f246eb8c59b9d04a4362
http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-imapd_1.0=
.5-1ubuntu2.1_amd64.deb
Size/MD5: 654514 7140315d855e7fab6d796be4166514a4
http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-pop3d_1.0=
.5-1ubuntu2.1_amd64.deb
Size/MD5: 617618 8c73c94bd43e89da32a0549c0c4218b6

i386 architecture (x86 compatible Intel/AMD):

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-common_1.=
0.5-1ubuntu2.1_i386.deb
Size/MD5: 1672926 1b323221b09fca189b471079f1ee5612
http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-imapd_1.0=
.5-1ubuntu2.1_i386.deb
Size/MD5: 621486 fa8977d8a945022fcdcf460d25d57141
http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-pop3d_1.0=
.5-1ubuntu2.1_i386.deb
Size/MD5: 588164 df780cc94e95fabf7793139ed8ca4c1e

powerpc architecture (Apple Macintosh G3/G4/G5):

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-common_1.=
0.5-1ubuntu2.1_powerpc.deb
Size/MD5: 1831950 d79e9f2cd81daab0eb7ae642d0444a0e
http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-imapd_1.0=
.5-1ubuntu2.1_powerpc.deb
Size/MD5: 656610 941223abf4f45c00434ff50a1323efad
http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-pop3d_1.0=
.5-1ubuntu2.1_powerpc.deb
Size/MD5: 621772 c4557afdeac4488718e3e4cd7d66aed6

sparc architecture (Sun SPARC/UltraSPARC):

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-common_1.=
0.5-1ubuntu2.1_sparc.deb
Size/MD5: 1666806 8dc28e714f31d687a1283f888f8b6301
http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-imapd_1.0=
.5-1ubuntu2.1_sparc.deb
Size/MD5: 618418 f7f5afcaf0de5164b0f1189dabb7761d
http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-pop3d_1.0=
.5-1ubuntu2.1_sparc.deb
Size/MD5: 585178 fdb2b1bfc470ed595671596656d1e12c


--xku3GkZTJumTa1rO
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHhpXXH/9LqRcGPm0RAt3KAJsF5CgegDZ48PBAV2kCLY4E9omFRwCfbkeo
QNWHhXj0QGhFx93fhN0QeSA=
=VlyV
-----END PGP SIGNATURE-----



Printed from Linux Compatible (http://www.linuxcompatible.org/news/story/usn_567_1_dovecot_vulnerability.html)