Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Sign up!
EnGarde Community
What is the most important Linux security technology?
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Latest Newsletters
Linux Advisory Watch: February 27th, 2015
Linux Security Week: February 23rd, 2015
LinuxSecurity Newsletters
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

Ubuntu: Dovecot vulnerabilities Print E-mail
User Rating:      How can I rate this item?
Posted by Benjamin D. Thomas   
Ubuntu It was discovered that the default configuration of dovecot could allow access to any email files with group "mail" without verifying that a user had valid rights. An attacker able to create symlinks in their mail directory could exploit this to read or delete another user's email. (CVE-2008-1199)
Ubuntu Security Notice USN-593-1             March 26, 2008
dovecot vulnerabilities
CVE-2008-1199, CVE-2008-1218

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS
Ubuntu 6.10
Ubuntu 7.04
Ubuntu 7.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
  dovecot-common                  1.0.beta3-3ubuntu5.6
  dovecot-imapd                   1.0.beta3-3ubuntu5.6
  dovecot-pop3d                   1.0.beta3-3ubuntu5.6

Ubuntu 6.10:
  dovecot-common                  1.0.rc2-1ubuntu2.3
  dovecot-imapd                   1.0.rc2-1ubuntu2.3
  dovecot-pop3d                   1.0.rc2-1ubuntu2.3

Ubuntu 7.04:
  dovecot-common                  1.0.rc17-1ubuntu2.3
  dovecot-imapd                   1.0.rc17-1ubuntu2.3
  dovecot-pop3d                   1.0.rc17-1ubuntu2.3

Ubuntu 7.10:
  dovecot-common                  1:1.0.5-1ubuntu2.2
  dovecot-imapd                   1:1.0.5-1ubuntu2.2
  dovecot-pop3d                   1:1.0.5-1ubuntu2.2

After a standard system upgrade, additional dovecot configuration changes
are needed.

ATTENTION: Due to an unavoidable configuration update, the dovecot
settings in /etc/dovecot/dovecot.conf need to be updated manually.
During the update, a configuration file conflict will be shown.
The default setting "mail_extra_groups = mail" should be changed to
"mail_privileged_group = mail".  If your local configuration uses groups
other than "mail", you may need to use the new "mail_access_groups"
setting as well.

Details follow:

It was discovered that the default configuration of dovecot could allow
access to any email files with group "mail" without verifying that a user
had valid rights.  An attacker able to create symlinks in their mail
directory could exploit this to read or delete another user's email.

By default, dovecot passed special characters to the underlying
authentication systems.  While Ubuntu releases of dovecot are not known
to be vulnerable, the authentication routine was proactively improved
to avoid potential future problems.  (CVE-2008-1218)

Updated packages for Ubuntu 6.06 LTS:

  Source archives:
      Size/MD5:   482805 f572acb482f90bb083314e880a772806
      Size/MD5:      867 f388415adecfb6e6b66821c601202954
      Size/MD5:  1360574 5418f9f7fe99e4f10bb82d9fe504138a

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):
      Size/MD5:   968546 0a9feb89c2b960cbb283a0a957c1ab3b
      Size/MD5:   535154 c3fabd531b6c633a48ee9d3dfe5fbea9
      Size/MD5:   503144 bb2ae9e81eb6188263827cb87cba29e7

  i386 architecture (x86 compatible Intel/AMD):
      Size/MD5:   842602 3a3b5f8a056546dcad50211b6a66b17e
      Size/MD5:   487858 735fe4c9291d8f3e2f6ea93df9e6a722
      Size/MD5:   458548 a32d03a27e76610ef5e9a5b25adc369d

  powerpc architecture (Apple Macintosh G3/G4/G5):
      Size/MD5:   946420 888fd964ff401c9436810f59a56c960e
      Size/MD5:   528892 65204a0f2de667fcc5bb7097c2973df9
      Size/MD5:   496616 8b71cb5999b41bd150d1427090f5266a

  sparc architecture (Sun SPARC/UltraSPARC):
      Size/MD5:   859702 096725e1d08fb32b4c30e4cb06a303ee
      Size/MD5:   494022 69cb816c90fbc8c154860150beb54df1
      Size/MD5:   464254 49ef9af48a8bcbc1b43cf64e579c8bac

Updated packages for Ubuntu 6.10:

  Source archives:
      Size/MD5:   481921 30469a011f337d9ea2af0d5660cdc3bb
      Size/MD5:      900 103e47535573605f059bfe512bbe9e9d
      Size/MD5:  1257435 e27a248b2ee224e4618aa2f020150041

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):
      Size/MD5:   941192 6d872ad2200983d3c6fb0af0af1689b4
      Size/MD5:   389328 d249f6bee773d0302cb500107d5c30f1
      Size/MD5:   355572 af818dec4a8102797efe010c52d2f3da

  i386 architecture (x86 compatible Intel/AMD):
      Size/MD5:   837862 a2e1e5ab801a81bd7ede896c68b471dc
      Size/MD5:   356148 fe47879721273c223fdb02b820572c2d
      Size/MD5:   325538 930636d7b634b371ef7564a54f7ebbc8

  powerpc architecture (Apple Macintosh G3/G4/G5):
      Size/MD5:   930236 0e501c64167c62697a6d35f77723f626
      Size/MD5:   387640 e383c12a8ae5f38f99b5605fe615d303
      Size/MD5:   354172 3b497cae8495e559124a8a32d0199fec

  sparc architecture (Sun SPARC/UltraSPARC):
      Size/MD5:   825242 483e84acb29649b05fd20b0516462e36
      Size/MD5:   349766 ae08a2bc0af7693fd3eba475cdefea81
      Size/MD5:   318894 b0962827bc67760168431aa08407c40a

Updated packages for Ubuntu 7.04:

  Source archives:
      Size/MD5:   110359 d45086b091902ffe4c897a37500640ef
      Size/MD5:     1100 2ebee5689361d891820080b8c03c1b80
      Size/MD5:  1512386 881bcc7d2c8fba6d337f3e616a602bf7

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):
      Size/MD5:  1279482 7ca87aed81c784bc5fadcf51df7bb07b
      Size/MD5:   589038 f7053e7a3037267a13de1b7d7daba6ae
      Size/MD5:   554270 7f92ed3a933b775a6301b1d8723e60d0

  i386 architecture (x86 compatible Intel/AMD):
      Size/MD5:  1169674 fc5fbc9f8b4c33fb2f773c7767625c79
      Size/MD5:   556308 13e0b06665a17c56da6d17ec3af892ca
      Size/MD5:   523676 681dd1951ef3d61b225930f9ba20f1d4

  powerpc architecture (Apple Macintosh G3/G4/G5):
      Size/MD5:  1296474 b691fd7d6d5a5df7b08af8d732f806e1
      Size/MD5:   593374 77b2a2b0bf8f05c5fd8c03887dd0739d
      Size/MD5:   558844 03bde80aa2b1282c9131590cc530e68d

  sparc architecture (Sun SPARC/UltraSPARC):
      Size/MD5:  1163166 66565dbe0abf26fa13e1eae8d51f81f8
      Size/MD5:   551744 d7858288e8326aad4cff410e5336ce1d
      Size/MD5:   519076 45e334d300da1c76f5da042d0dbbfe44

Updated packages for Ubuntu 7.10:

  Source archives:
      Size/MD5:   116694 c21b8fd1aa899cec34c5428d953ba992
      Size/MD5:     1115 74def18e831b00a23b5ee06f36634e55
      Size/MD5:  1775898 94b7d29cf44f63f89d538361afa05c40

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):
      Size/MD5:  1822104 aebc0d840798e22dd1794b12f65fb65f
      Size/MD5:   656608 d3ad8a6801d0be7060a2f57787cd93db
      Size/MD5:   620032 ed96dadf810230c3f19fb1c07963b551

  i386 architecture (x86 compatible Intel/AMD):
      Size/MD5:  1680262 d4014ff94fd68f928c8b91a2bfbf8143
      Size/MD5:   623590 2b42a167edcc0614b6f2b657319bda7d
      Size/MD5:   590130 2bab04499b1cbf80042248ba3250c585

  powerpc architecture (Apple Macintosh G3/G4/G5):
      Size/MD5:  1840504 d989541e39e1ddad883537907502b0f4
      Size/MD5:   659636 cb7c4ca376b74c8e36ae80b14277c25d
      Size/MD5:   624332 022c275417a9ac846b5ed09eea225e84

  sparc architecture (Sun SPARC/UltraSPARC):
      Size/MD5:  1674688 798e926a5b6180a64fced9c592b38762
      Size/MD5:   620580 9fb4843e505d09dcc0374b6bbc4dbb3b
      Size/MD5:   587500 08bd76dc21c61c368b092d9c6d674e0a

Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

Version: GnuPG v1.4.6 (GNU/Linux)



--==============E16377562864982963=Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

ubuntu-security-announce mailing list
Modify settings or unsubscribe at:

< Prev   Next >


Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
CSI: Cyber: We Watched So You Didnít Have To
PATCH FREAK NOW: Cloud providers faulted for slow response
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2015 Guardian Digital, Inc. All rights reserved.