=========================================================== 
Ubuntu Security Notice USN-593-1             March 26, 2008
dovecot vulnerabilities
CVE-2008-1199, CVE-2008-1218
==========================================================
A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS
Ubuntu 6.10
Ubuntu 7.04
Ubuntu 7.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
  dovecot-common                  1.0.beta3-3ubuntu5.6
  dovecot-imapd                   1.0.beta3-3ubuntu5.6
  dovecot-pop3d                   1.0.beta3-3ubuntu5.6

Ubuntu 6.10:
  dovecot-common                  1.0.rc2-1ubuntu2.3
  dovecot-imapd                   1.0.rc2-1ubuntu2.3
  dovecot-pop3d                   1.0.rc2-1ubuntu2.3

Ubuntu 7.04:
  dovecot-common                  1.0.rc17-1ubuntu2.3
  dovecot-imapd                   1.0.rc17-1ubuntu2.3
  dovecot-pop3d                   1.0.rc17-1ubuntu2.3

Ubuntu 7.10:
  dovecot-common                  1:1.0.5-1ubuntu2.2
  dovecot-imapd                   1:1.0.5-1ubuntu2.2
  dovecot-pop3d                   1:1.0.5-1ubuntu2.2

After a standard system upgrade, additional dovecot configuration changes
are needed.

ATTENTION: Due to an unavoidable configuration update, the dovecot
settings in /etc/dovecot/dovecot.conf need to be updated manually.
During the update, a configuration file conflict will be shown.
The default setting "mail_extra_groups = mail" should be changed to
"mail_privileged_group = mail".  If your local configuration uses groups
other than "mail", you may need to use the new "mail_access_groups"
setting as well.

Details follow:

It was discovered that the default configuration of dovecot could allow
access to any email files with group "mail" without verifying that a user
had valid rights.  An attacker able to create symlinks in their mail
directory could exploit this to read or delete another user's email.
(CVE-2008-1199)

By default, dovecot passed special characters to the underlying
authentication systems.  While Ubuntu releases of dovecot are not known
to be vulnerable, the authentication routine was proactively improved
to avoid potential future problems.  (CVE-2008-1218)


Updated packages for Ubuntu 6.06 LTS:

  Source archives:

          Size/MD5:   482805 f572acb482f90bb083314e880a772806
          Size/MD5:      867 f388415adecfb6e6b66821c601202954
          Size/MD5:  1360574 5418f9f7fe99e4f10bb82d9fe504138a

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

          Size/MD5:   968546 0a9feb89c2b960cbb283a0a957c1ab3b
          Size/MD5:   535154 c3fabd531b6c633a48ee9d3dfe5fbea9
          Size/MD5:   503144 bb2ae9e81eb6188263827cb87cba29e7

  i386 architecture (x86 compatible Intel/AMD):

          Size/MD5:   842602 3a3b5f8a056546dcad50211b6a66b17e
          Size/MD5:   487858 735fe4c9291d8f3e2f6ea93df9e6a722
          Size/MD5:   458548 a32d03a27e76610ef5e9a5b25adc369d

  powerpc architecture (Apple Macintosh G3/G4/G5):

          Size/MD5:   946420 888fd964ff401c9436810f59a56c960e
          Size/MD5:   528892 65204a0f2de667fcc5bb7097c2973df9
          Size/MD5:   496616 8b71cb5999b41bd150d1427090f5266a

  sparc architecture (Sun SPARC/UltraSPARC):

          Size/MD5:   859702 096725e1d08fb32b4c30e4cb06a303ee
          Size/MD5:   494022 69cb816c90fbc8c154860150beb54df1
          Size/MD5:   464254 49ef9af48a8bcbc1b43cf64e579c8bac

Updated packages for Ubuntu 6.10:

  Source archives:

          Size/MD5:   481921 30469a011f337d9ea2af0d5660cdc3bb
          Size/MD5:      900 103e47535573605f059bfe512bbe9e9d
          Size/MD5:  1257435 e27a248b2ee224e4618aa2f020150041

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

          Size/MD5:   941192 6d872ad2200983d3c6fb0af0af1689b4
          Size/MD5:   389328 d249f6bee773d0302cb500107d5c30f1
          Size/MD5:   355572 af818dec4a8102797efe010c52d2f3da

  i386 architecture (x86 compatible Intel/AMD):

          Size/MD5:   837862 a2e1e5ab801a81bd7ede896c68b471dc
          Size/MD5:   356148 fe47879721273c223fdb02b820572c2d
          Size/MD5:   325538 930636d7b634b371ef7564a54f7ebbc8

  powerpc architecture (Apple Macintosh G3/G4/G5):

          Size/MD5:   930236 0e501c64167c62697a6d35f77723f626
          Size/MD5:   387640 e383c12a8ae5f38f99b5605fe615d303
          Size/MD5:   354172 3b497cae8495e559124a8a32d0199fec

  sparc architecture (Sun SPARC/UltraSPARC):

          Size/MD5:   825242 483e84acb29649b05fd20b0516462e36
          Size/MD5:   349766 ae08a2bc0af7693fd3eba475cdefea81
          Size/MD5:   318894 b0962827bc67760168431aa08407c40a

Updated packages for Ubuntu 7.04:

  Source archives:

          Size/MD5:   110359 d45086b091902ffe4c897a37500640ef
          Size/MD5:     1100 2ebee5689361d891820080b8c03c1b80
          Size/MD5:  1512386 881bcc7d2c8fba6d337f3e616a602bf7

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

          Size/MD5:  1279482 7ca87aed81c784bc5fadcf51df7bb07b
          Size/MD5:   589038 f7053e7a3037267a13de1b7d7daba6ae
          Size/MD5:   554270 7f92ed3a933b775a6301b1d8723e60d0

  i386 architecture (x86 compatible Intel/AMD):

          Size/MD5:  1169674 fc5fbc9f8b4c33fb2f773c7767625c79
          Size/MD5:   556308 13e0b06665a17c56da6d17ec3af892ca
          Size/MD5:   523676 681dd1951ef3d61b225930f9ba20f1d4

  powerpc architecture (Apple Macintosh G3/G4/G5):

          Size/MD5:  1296474 b691fd7d6d5a5df7b08af8d732f806e1
          Size/MD5:   593374 77b2a2b0bf8f05c5fd8c03887dd0739d
          Size/MD5:   558844 03bde80aa2b1282c9131590cc530e68d

  sparc architecture (Sun SPARC/UltraSPARC):

          Size/MD5:  1163166 66565dbe0abf26fa13e1eae8d51f81f8
          Size/MD5:   551744 d7858288e8326aad4cff410e5336ce1d
          Size/MD5:   519076 45e334d300da1c76f5da042d0dbbfe44

Updated packages for Ubuntu 7.10:

  Source archives:

          Size/MD5:   116694 c21b8fd1aa899cec34c5428d953ba992
          Size/MD5:     1115 74def18e831b00a23b5ee06f36634e55
          Size/MD5:  1775898 94b7d29cf44f63f89d538361afa05c40

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

          Size/MD5:  1822104 aebc0d840798e22dd1794b12f65fb65f
          Size/MD5:   656608 d3ad8a6801d0be7060a2f57787cd93db
          Size/MD5:   620032 ed96dadf810230c3f19fb1c07963b551

  i386 architecture (x86 compatible Intel/AMD):

          Size/MD5:  1680262 d4014ff94fd68f928c8b91a2bfbf8143
          Size/MD5:   623590 2b42a167edcc0614b6f2b657319bda7d
          Size/MD5:   590130 2bab04499b1cbf80042248ba3250c585

  powerpc architecture (Apple Macintosh G3/G4/G5):

          Size/MD5:  1840504 d989541e39e1ddad883537907502b0f4
          Size/MD5:   659636 cb7c4ca376b74c8e36ae80b14277c25d
          Size/MD5:   624332 022c275417a9ac846b5ed09eea225e84

  sparc architecture (Sun SPARC/UltraSPARC):

          Size/MD5:  1674688 798e926a5b6180a64fced9c592b38762
          Size/MD5:   620580 9fb4843e505d09dcc0374b6bbc4dbb3b
          Size/MD5:   587500 08bd76dc21c61c368b092d9c6d674e0a


--CE+1k2dSO48ffgeK
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFH6smuH/9LqRcGPm0RAsDYAJ4gy2CrktcfITTovHOWPiEUiZzNogCfY5Si
2zV7JuuRkvlTGOfGX/L6+Nc=IPqx
-----END PGP SIGNATURE-------CE+1k2dSO48ffgeK--
--==============E16377562864982963=Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

--ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce

--==============E16377562864982963==--

Ubuntu: Dovecot vulnerabilities

March 26, 2008
It was discovered that the default configuration of dovecot could allow access to any email files with group "mail" without verifying that a user had valid rights

Summary

Update Instructions

References

Severity
Ubuntu Security Notice USN-593-1 March 26, 2008

Package Information

Related News

30.Lock Globe Motherboard Esm H320
1 - 2 min read
The SPDX 3.0 release marks a significant milestone in software management, particularly for Linux admins, infosec professionals, internet security
11.Locks IsometricPattern Esm H320
2 - 3 min read
Open Source maintainers and developers have been warned about the continued wave of attacks aimed at project maintainers similar to those recently
28.Lock Globe Esm H320
1 - 2 min read
A resurgence of cyberattacks targeting Linux systems in Asian campaigns through the utilization of the Pupy Remote Access Trojan (RAT) has been
27.Tablet Connections Blocks Lock Esm H320
2 - 4 min read
Canonical has recently announced the Beta release of Ubuntu Linux 24.04 LTS , codenamed "Noble Numbat." This release aims to continue Ubuntu's
21.Globe RadiatingCode Esm H320
2 - 3 min read
The open-source movement has come a long way, from its origins in the 1960s and 1970s to becoming an integral part of organizations worldwide.
13.Lock StylizedMotherboard Esm H320
2 - 3 min read
The Rust-based Edera project demonstrates a unique approach to container security that addresses cloud-native computing challenges. Let's examine
8.Locks HexConnections CodeGlobe Esm H320
2 - 3 min read
Canonical has launched Ubuntu Pro for Devices , a comprehensive offering emphasizing security and compliance for IoT device deployments. This
2.Motherboard Esm H320
2 - 3 min read
The recently uncovered "Native Branch History Injection (BHI)" exploit against the Linux kernel marks a significant milestone in the ongoing battle
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved