LinuxSecurity.com
Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Advisory Watch: August 15th, 2014
Linux Advisory Watch: August 8th, 2014
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
Ubuntu: Dovecot vulnerability Print E-mail
User Rating:      How can I rate this item?
Posted by Benjamin D. Thomas   
Ubuntu It was discovered that Dovecot, when configured to use non-system-user spools and compressed folders, would allow directory traversals in mailbox names. Remote authenticated users could potentially read email owned by other users.
=========================================================== 
Ubuntu Security Notice USN-487-1              July 17, 2007
dovecot vulnerability
CVE-2007-2231
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS
Ubuntu 6.10
Ubuntu 7.04

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
  dovecot-common                           1.0.beta3-3ubuntu5.5

Ubuntu 6.10:
  dovecot-common                           1.0.rc2-1ubuntu2.2

Ubuntu 7.04:
  dovecot-common                           1.0.rc17-1ubuntu2.1

In general, a standard system upgrade is sufficient to effect the
necessary changes.

Details follow:

It was discovered that Dovecot, when configured to use non-system-user
spools and compressed folders, would allow directory traversals in
mailbox names.  Remote authenticated users could potentially read email
owned by other users.


Updated packages for Ubuntu 6.06 LTS:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_1.0.beta3-3ubuntu5.5.diff.gz
      Size/MD5:   469298 29bd87efba635fd5eedb3895d20acc46
    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_1.0.beta3-3ubuntu5.5.dsc
      Size/MD5:      867 5036d7a6d364a2ad840b0d54e3339f38
    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_1.0.beta3.orig.tar.gz
      Size/MD5:  1360574 5418f9f7fe99e4f10bb82d9fe504138a

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-common_1.0.beta3-3ubuntu5.5_amd64.deb
      Size/MD5:   962840 6cca1d5abd731afba38bb29f6c9933f5
    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-imapd_1.0.beta3-3ubuntu5.5_amd64.deb
      Size/MD5:   532874 e9e41c0952c466de86cb5ce0e6587a22
    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-pop3d_1.0.beta3-3ubuntu5.5_amd64.deb
      Size/MD5:   500994 bc7b6969f03f5f311848410e935dfded

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-common_1.0.beta3-3ubuntu5.5_i386.deb
      Size/MD5:   838814 753181c3a1179a6ec1bd72b13dc5b9a4
    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-imapd_1.0.beta3-3ubuntu5.5_i386.deb
      Size/MD5:   486092 d11b682eb421301f797e80194b51b67b
    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-pop3d_1.0.beta3-3ubuntu5.5_i386.deb
      Size/MD5:   456858 d8ca7cb44101b96455b891e9e42bc5b3

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-common_1.0.beta3-3ubuntu5.5_powerpc.deb
      Size/MD5:   941292 e1d73b71061280687181e8f938b8e264
    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-imapd_1.0.beta3-3ubuntu5.5_powerpc.deb
      Size/MD5:   526582 4f89130337e474c68a419f4724cf1aa4
    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-pop3d_1.0.beta3-3ubuntu5.5_powerpc.deb
      Size/MD5:   494322 ebbdc5b738172d4dfc6b25ec39ddfa91

  sparc architecture (Sun SPARC/UltraSPARC)

    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-common_1.0.beta3-3ubuntu5.5_sparc.deb
      Size/MD5:   855402 12181c54c433922b9eee15f585a0ae8f
    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-imapd_1.0.beta3-3ubuntu5.5_sparc.deb
      Size/MD5:   492088 9d4880192868043bbc62096ea23ac2e0
    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-pop3d_1.0.beta3-3ubuntu5.5_sparc.deb
      Size/MD5:   462252 5f62fd110c14911bcfb406a84703cb5d

Updated packages for Ubuntu 6.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_1.0.rc2-1ubuntu2.2.diff.gz
      Size/MD5:   473084 483a9eb80e9750acdf385ed824056db9
    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_1.0.rc2-1ubuntu2.2.dsc
      Size/MD5:      900 11dc25bceb20c8e6d6870b53f38bdc3c
    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_1.0.rc2.orig.tar.gz
      Size/MD5:  1257435 e27a248b2ee224e4618aa2f020150041

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-common_1.0.rc2-1ubuntu2.2_amd64.deb
      Size/MD5:   936296 0ae0d9e4217dae4b910b489670f25a5e
    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-imapd_1.0.rc2-1ubuntu2.2_amd64.deb
      Size/MD5:   387028 dee13d869de26b760f55f2ca79aa9459
    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-pop3d_1.0.rc2-1ubuntu2.2_amd64.deb
      Size/MD5:   353208 7f8cd14c0f45fa2d60b81112361e47ea

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-common_1.0.rc2-1ubuntu2.2_i386.deb
      Size/MD5:   833674 a8f0594ac17eaf15b7b8574bed437d8a
    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-imapd_1.0.rc2-1ubuntu2.2_i386.deb
      Size/MD5:   354212 31a82ddd4094a0293bd80e20387e734a
    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-pop3d_1.0.rc2-1ubuntu2.2_i386.deb
      Size/MD5:   323498 69cb3e9d2aad06b53627a0da1f2f0cf5

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-common_1.0.rc2-1ubuntu2.2_powerpc.deb
      Size/MD5:   924998 9158a6ee1b882ec64d2e7bd0ad337ebe
    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-imapd_1.0.rc2-1ubuntu2.2_powerpc.deb
      Size/MD5:   385336 9608f3975460aea5cf553d454f6522ff
    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-pop3d_1.0.rc2-1ubuntu2.2_powerpc.deb
      Size/MD5:   352020 9facc03f70e9d7ad823ef0ed4b6fc20c

  sparc architecture (Sun SPARC/UltraSPARC)

    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-common_1.0.rc2-1ubuntu2.2_sparc.deb
      Size/MD5:   820528 97f8b26eba76a6351c60f2ff2d02a48d
    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-imapd_1.0.rc2-1ubuntu2.2_sparc.deb
      Size/MD5:   347752 b8ce2d4174b4aefee2ddaa311d0db376
    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-pop3d_1.0.rc2-1ubuntu2.2_sparc.deb
      Size/MD5:   316908 d5b9a64f49f61f617e73d6371a3f9ed1

Updated packages for Ubuntu 7.04:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_1.0.rc17-1ubuntu2.1.diff.gz
      Size/MD5:    99862 9bf881b3592e2d48e4b31123fe43563b
    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_1.0.rc17-1ubuntu2.1.dsc
      Size/MD5:     1099 c657aea243cfbeac420794c0a43bae95
    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_1.0.rc17.orig.tar.gz
      Size/MD5:  1512386 881bcc7d2c8fba6d337f3e616a602bf7

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-common_1.0.rc17-1ubuntu2.1_amd64.deb
      Size/MD5:  1274644 46145219067be168cfe05961140faabf
    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-imapd_1.0.rc17-1ubuntu2.1_amd64.deb
      Size/MD5:   586540 eac2b3216e1f76c20354c322f3b1bae0
    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-pop3d_1.0.rc17-1ubuntu2.1_amd64.deb
      Size/MD5:   552280 cffa97e43063a8c27382b302541cf00b

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-common_1.0.rc17-1ubuntu2.1_i386.deb
      Size/MD5:  1164578 45655df2ab5d68ab09c17a52b286fef5
    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-imapd_1.0.rc17-1ubuntu2.1_i386.deb
      Size/MD5:   554174 33f48b9b7d8639ccb75cbccbaa48e59d
    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-pop3d_1.0.rc17-1ubuntu2.1_i386.deb
      Size/MD5:   521498 c7094f9dd1fabcae02f4e535d24c9c7f

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-common_1.0.rc17-1ubuntu2.1_powerpc.deb
      Size/MD5:  1291064 6b55bb639475bcecbf00655ad6cd27ea
    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-imapd_1.0.rc17-1ubuntu2.1_powerpc.deb
      Size/MD5:   590906 6afd3063c2bbe6c46119d7c2bf0114a1
    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-pop3d_1.0.rc17-1ubuntu2.1_powerpc.deb
      Size/MD5:   556068 009c76cc27d1812d2abf6d997116e500

  sparc architecture (Sun SPARC/UltraSPARC)

    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-common_1.0.rc17-1ubuntu2.1_sparc.deb
      Size/MD5:  1158070 25978232a1680992b84edc754f9f42e9
    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-imapd_1.0.rc17-1ubuntu2.1_sparc.deb
      Size/MD5:   549476 d9d6f94295f77b1d42f6775e38475fd1
    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-pop3d_1.0.rc17-1ubuntu2.1_sparc.deb
      Size/MD5:   517012 58f2daca2b94c95c66f30277f8401373


 
< Prev   Next >
    
Partner

 

Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
Google Fixes 12 Vulnerabilities in Chrome 36
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2014 Guardian Digital, Inc. All rights reserved.