USN-593-1: Dovecot vulnerabilities
Posted on: 03/27/2008 12:35 AM

A new Dovecot vulnerabilities update is available for Ubuntu Linux. Here the announcement:

Ubuntu Security Notice USN-593-1 March 26, 2008
dovecot vulnerabilities
CVE-2008-1199, CVE-2008-1218
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS
Ubuntu 6.10
Ubuntu 7.04
Ubuntu 7.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
dovecot-common 1.0.beta3-3ubuntu5.6
dovecot-imapd 1.0.beta3-3ubuntu5.6
dovecot-pop3d 1.0.beta3-3ubuntu5.6

Ubuntu 6.10:
dovecot-common 1.0.rc2-1ubuntu2.3
dovecot-imapd 1.0.rc2-1ubuntu2.3
dovecot-pop3d 1.0.rc2-1ubuntu2.3

Ubuntu 7.04:
dovecot-common 1.0.rc17-1ubuntu2.3
dovecot-imapd 1.0.rc17-1ubuntu2.3
dovecot-pop3d 1.0.rc17-1ubuntu2.3

Ubuntu 7.10:
dovecot-common 1:1.0.5-1ubuntu2.2
dovecot-imapd 1:1.0.5-1ubuntu2.2
dovecot-pop3d 1:1.0.5-1ubuntu2.2

After a standard system upgrade, additional dovecot configuration changes
are needed.

ATTENTION: Due to an unavoidable configuration update, the dovecot
settings in /etc/dovecot/dovecot.conf need to be updated manually.
During the update, a configuration file conflict will be shown.
The default setting "mail_extra_groups =3D mail" should be changed to
"mail_privileged_group =3D mail". If your local configuration uses groups
other than "mail", you may need to use the new "mail_access_groups"
setting as well.

Details follow:

It was discovered that the default configuration of dovecot could allow
access to any email files with group "mail" without verifying that a user
had valid rights. An attacker able to create symlinks in their mail
directory could exploit this to read or delete another user's email.
(CVE-2008-1199)

By default, dovecot passed special characters to the underlying
authentication systems. While Ubuntu releases of dovecot are not known
to be vulnerable, the authentication routine was proactively improved
to avoid potential future problems. (CVE-2008-1218)


Updated packages for Ubuntu 6.06 LTS:

Source archives:

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_1.0.beta3=
-3ubuntu5.6.diff.gz
Size/MD5: 482805 f572acb482f90bb083314e880a772806
http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_1.0.beta3=
-3ubuntu5.6.dsc
Size/MD5: 867 f388415adecfb6e6b66821c601202954
http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_1.0.beta3=
=2Eorig.tar.gz
Size/MD5: 1360574 5418f9f7fe99e4f10bb82d9fe504138a

amd64 architecture (Athlon64, Opteron, EM64T Xeon):

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-common_1.=
0.beta3-3ubuntu5.6_amd64.deb
Size/MD5: 968546 0a9feb89c2b960cbb283a0a957c1ab3b
http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-imapd_1.0=
=2Ebeta3-3ubuntu5.6_amd64.deb
Size/MD5: 535154 c3fabd531b6c633a48ee9d3dfe5fbea9
http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-pop3d_1.0=
=2Ebeta3-3ubuntu5.6_amd64.deb
Size/MD5: 503144 bb2ae9e81eb6188263827cb87cba29e7

i386 architecture (x86 compatible Intel/AMD):

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-common_1.=
0.beta3-3ubuntu5.6_i386.deb
Size/MD5: 842602 3a3b5f8a056546dcad50211b6a66b17e
http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-imapd_1.0=
=2Ebeta3-3ubuntu5.6_i386.deb
Size/MD5: 487858 735fe4c9291d8f3e2f6ea93df9e6a722
http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-pop3d_1.0=
=2Ebeta3-3ubuntu5.6_i386.deb
Size/MD5: 458548 a32d03a27e76610ef5e9a5b25adc369d

powerpc architecture (Apple Macintosh G3/G4/G5):

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-common_1.=
0.beta3-3ubuntu5.6_powerpc.deb
Size/MD5: 946420 888fd964ff401c9436810f59a56c960e
http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-imapd_1.0=
=2Ebeta3-3ubuntu5.6_powerpc.deb
Size/MD5: 528892 65204a0f2de667fcc5bb7097c2973df9
http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-pop3d_1.0=
=2Ebeta3-3ubuntu5.6_powerpc.deb
Size/MD5: 496616 8b71cb5999b41bd150d1427090f5266a

sparc architecture (Sun SPARC/UltraSPARC):

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-common_1.=
0.beta3-3ubuntu5.6_sparc.deb
Size/MD5: 859702 096725e1d08fb32b4c30e4cb06a303ee
http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-imapd_1.0=
=2Ebeta3-3ubuntu5.6_sparc.deb
Size/MD5: 494022 69cb816c90fbc8c154860150beb54df1
http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-pop3d_1.0=
=2Ebeta3-3ubuntu5.6_sparc.deb
Size/MD5: 464254 49ef9af48a8bcbc1b43cf64e579c8bac

Updated packages for Ubuntu 6.10:

Source archives:

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_1.0.rc2-1=
ubuntu2.3.diff.gz
Size/MD5: 481921 30469a011f337d9ea2af0d5660cdc3bb
http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_1.0.rc2-1=
ubuntu2.3.dsc
Size/MD5: 900 103e47535573605f059bfe512bbe9e9d
http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_1.0.rc2.o=
rig.tar.gz
Size/MD5: 1257435 e27a248b2ee224e4618aa2f020150041

amd64 architecture (Athlon64, Opteron, EM64T Xeon):

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-common_1.=
0.rc2-1ubuntu2.3_amd64.deb
Size/MD5: 941192 6d872ad2200983d3c6fb0af0af1689b4
http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-imapd_1.0=
=2Erc2-1ubuntu2.3_amd64.deb
Size/MD5: 389328 d249f6bee773d0302cb500107d5c30f1
http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-pop3d_1.0=
=2Erc2-1ubuntu2.3_amd64.deb
Size/MD5: 355572 af818dec4a8102797efe010c52d2f3da

i386 architecture (x86 compatible Intel/AMD):

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-common_1.=
0.rc2-1ubuntu2.3_i386.deb
Size/MD5: 837862 a2e1e5ab801a81bd7ede896c68b471dc
http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-imapd_1.0=
=2Erc2-1ubuntu2.3_i386.deb
Size/MD5: 356148 fe47879721273c223fdb02b820572c2d
http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-pop3d_1.0=
=2Erc2-1ubuntu2.3_i386.deb
Size/MD5: 325538 930636d7b634b371ef7564a54f7ebbc8

powerpc architecture (Apple Macintosh G3/G4/G5):

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-common_1.=
0.rc2-1ubuntu2.3_powerpc.deb
Size/MD5: 930236 0e501c64167c62697a6d35f77723f626
http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-imapd_1.0=
=2Erc2-1ubuntu2.3_powerpc.deb
Size/MD5: 387640 e383c12a8ae5f38f99b5605fe615d303
http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-pop3d_1.0=
=2Erc2-1ubuntu2.3_powerpc.deb
Size/MD5: 354172 3b497cae8495e559124a8a32d0199fec

sparc architecture (Sun SPARC/UltraSPARC):

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-common_1.=
0.rc2-1ubuntu2.3_sparc.deb
Size/MD5: 825242 483e84acb29649b05fd20b0516462e36
http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-imapd_1.0=
=2Erc2-1ubuntu2.3_sparc.deb
Size/MD5: 349766 ae08a2bc0af7693fd3eba475cdefea81
http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-pop3d_1.0=
=2Erc2-1ubuntu2.3_sparc.deb
Size/MD5: 318894 b0962827bc67760168431aa08407c40a

Updated packages for Ubuntu 7.04:

Source archives:

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_1.0.rc17-=
1ubuntu2.3.diff.gz
Size/MD5: 110359 d45086b091902ffe4c897a37500640ef
http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_1.0.rc17-=
1ubuntu2.3.dsc
Size/MD5: 1100 2ebee5689361d891820080b8c03c1b80
http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_1.0.rc17.=
orig.tar.gz
Size/MD5: 1512386 881bcc7d2c8fba6d337f3e616a602bf7

amd64 architecture (Athlon64, Opteron, EM64T Xeon):

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-common_1.=
0.rc17-1ubuntu2.3_amd64.deb
Size/MD5: 1279482 7ca87aed81c784bc5fadcf51df7bb07b
http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-imapd_1.0=
=2Erc17-1ubuntu2.3_amd64.deb
Size/MD5: 589038 f7053e7a3037267a13de1b7d7daba6ae
http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-pop3d_1.0=
=2Erc17-1ubuntu2.3_amd64.deb
Size/MD5: 554270 7f92ed3a933b775a6301b1d8723e60d0

i386 architecture (x86 compatible Intel/AMD):

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-common_1.=
0.rc17-1ubuntu2.3_i386.deb
Size/MD5: 1169674 fc5fbc9f8b4c33fb2f773c7767625c79
http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-imapd_1.0=
=2Erc17-1ubuntu2.3_i386.deb
Size/MD5: 556308 13e0b06665a17c56da6d17ec3af892ca
http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-pop3d_1.0=
=2Erc17-1ubuntu2.3_i386.deb
Size/MD5: 523676 681dd1951ef3d61b225930f9ba20f1d4

powerpc architecture (Apple Macintosh G3/G4/G5):

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-common_1.=
0.rc17-1ubuntu2.3_powerpc.deb
Size/MD5: 1296474 b691fd7d6d5a5df7b08af8d732f806e1
http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-imapd_1.0=
=2Erc17-1ubuntu2.3_powerpc.deb
Size/MD5: 593374 77b2a2b0bf8f05c5fd8c03887dd0739d
http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-pop3d_1.0=
=2Erc17-1ubuntu2.3_powerpc.deb
Size/MD5: 558844 03bde80aa2b1282c9131590cc530e68d

sparc architecture (Sun SPARC/UltraSPARC):

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-common_1.=
0.rc17-1ubuntu2.3_sparc.deb
Size/MD5: 1163166 66565dbe0abf26fa13e1eae8d51f81f8
http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-imapd_1.0=
=2Erc17-1ubuntu2.3_sparc.deb
Size/MD5: 551744 d7858288e8326aad4cff410e5336ce1d
http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-pop3d_1.0=
=2Erc17-1ubuntu2.3_sparc.deb
Size/MD5: 519076 45e334d300da1c76f5da042d0dbbfe44

Updated packages for Ubuntu 7.10:

Source archives:

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_1.0.5-1ub=
untu2.2.diff.gz
Size/MD5: 116694 c21b8fd1aa899cec34c5428d953ba992
http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_1.0.5-1ub=
untu2.2.dsc
Size/MD5: 1115 74def18e831b00a23b5ee06f36634e55
http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_1.0.5.ori=
g.tar.gz
Size/MD5: 1775898 94b7d29cf44f63f89d538361afa05c40

amd64 architecture (Athlon64, Opteron, EM64T Xeon):

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-common_1.=
0.5-1ubuntu2.2_amd64.deb
Size/MD5: 1822104 aebc0d840798e22dd1794b12f65fb65f
http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-imapd_1.0=
=2E5-1ubuntu2.2_amd64.deb
Size/MD5: 656608 d3ad8a6801d0be7060a2f57787cd93db
http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-pop3d_1.0=
=2E5-1ubuntu2.2_amd64.deb
Size/MD5: 620032 ed96dadf810230c3f19fb1c07963b551

i386 architecture (x86 compatible Intel/AMD):

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-common_1.=
0.5-1ubuntu2.2_i386.deb
Size/MD5: 1680262 d4014ff94fd68f928c8b91a2bfbf8143
http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-imapd_1.0=
=2E5-1ubuntu2.2_i386.deb
Size/MD5: 623590 2b42a167edcc0614b6f2b657319bda7d
http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-pop3d_1.0=
=2E5-1ubuntu2.2_i386.deb
Size/MD5: 590130 2bab04499b1cbf80042248ba3250c585

powerpc architecture (Apple Macintosh G3/G4/G5):

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-common_1.=
0.5-1ubuntu2.2_powerpc.deb
Size/MD5: 1840504 d989541e39e1ddad883537907502b0f4
http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-imapd_1.0=
=2E5-1ubuntu2.2_powerpc.deb
Size/MD5: 659636 cb7c4ca376b74c8e36ae80b14277c25d
http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-pop3d_1.0=
=2E5-1ubuntu2.2_powerpc.deb
Size/MD5: 624332 022c275417a9ac846b5ed09eea225e84

sparc architecture (Sun SPARC/UltraSPARC):

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-common_1.=
0.5-1ubuntu2.2_sparc.deb
Size/MD5: 1674688 798e926a5b6180a64fced9c592b38762
http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-imapd_1.0=
=2E5-1ubuntu2.2_sparc.deb
Size/MD5: 620580 9fb4843e505d09dcc0374b6bbc4dbb3b
http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-pop3d_1.0=
=2E5-1ubuntu2.2_sparc.deb
Size/MD5: 587500 08bd76dc21c61c368b092d9c6d674e0a


--CE+1k2dSO48ffgeK
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFH6smuH/9LqRcGPm0RAsDYAJ4gy2CrktcfITTovHOWPiEUiZzNogCfY5Si
2zV7JuuRkvlTGOfGX/L6+Nc=
=IPqx
-----END PGP SIGNATURE-----



Printed from Linux Compatible (http://www.linuxcompatible.org/news/story/usn_593_1_dovecot_vulnerabilities.html)