LinuxSecurity.com
Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Advisory Watch: August 15th, 2014
Linux Advisory Watch: August 8th, 2014
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
Mandriva: Subject: [Security Announce] [ MDVSA-2008:232 ] dovecot Print E-mail
User Rating:      How can I rate this item?
Posted by Benjamin D. Thomas   
Mandrake The ACL plugin in dovecot prior to version 1.1.4 treated negative access rights as though they were positive access rights, which allowed attackers to bypass intended access restrictions (CVE-2008-4577).
 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2008:232
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : dovecot
 Date    : November 19, 2008
 Affected: 2009.0
 _______________________________________________________________________

 Problem Description:

 The ACL plugin in dovecot prior to version 1.1.4 treated negative
 access rights as though they were positive access rights, which allowed
 attackers to bypass intended access restrictions (CVE-2008-4577).
 
 The ACL plugin in dovecot prior to version 1.1.6 allowed attackers to
 bypass intended access restrictions by using the 'k' right to create
 unauthorized 'parent/child/child' mailboxes (CVE-2008-4578).
 
 In addition, two bugs were discovered in the dovecot package shipped
 with Mandriva Linux 2009.0. The default permissions on the dovecot.conf
 configuration file were too restrictive, which prevents the use of
 dovecot's 'deliver' command as a non-root user. Secondly, dovecot
 should not start until after ntpd, if ntpd is active, because if ntpd
 corrects the time backwards while dovecot is running, dovecot will
 quit automatically, with the log message 'Time just moved backwards
 by X seconds. This might cause a lot of problems, so I'll just kill
 myself now.' The update resolves both these problems. The default
 permissions on dovecot.conf now allow the 'deliver' command to read the
 file. Note that if you edited dovecot.conf at all prior to installing
 the update, the new permissions may not be applied. If you find the
 'deliver' command still does not work following the update, please
 run these commands as root:
 
  # chmod 0640 /etc/dovecot.conf
  # chown root:mail /etc/dovecot.conf
 
 Dovecot's initialization script now configures it to start after the
 ntpd service, to ensure ntpd resetting the clock does not interfere
 with Dovecot operation.
 
 This package corrects the above-noted bugs and security issues by
 upgrading to the latest dovecot 1.1.6, which also provides additional
 bug fixes.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4577
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4578
 https://qa.mandriva.com/44926
 _______________________________________________________________________

 Updated Packages:

 Mandriva Linux 2009.0:
 437fcab249d5274b3101bb7c953c2a79  2009.0/i586/dovecot-1.1.6-0.1mdv2009.0.i586.rpm
 0ca908249ab050c56e61dadfd0fb1c33  2009.0/i586/dovecot-devel-1.1.6-0.1mdv2009.0.i586.rpm
 48b2d085ef9a6a1c1dfcb55f3af6090b  2009.0/i586/dovecot-plugins-gssapi-1.1.6-0.1mdv2009.0.i586.rpm
 8698367ab382293be85e3e7fb65b38ca  2009.0/i586/dovecot-plugins-ldap-1.1.6-0.1mdv2009.0.i586.rpm 
 c2878a5f597b8a9f66605df32cf65a06  2009.0/SRPMS/dovecot-1.1.6-0.1mdv2009.0.src.rpm

 Mandriva Linux 2009.0/X86_64:
 1c4936b072f401ea2c94c6c7b3d6b427  2009.0/x86_64/dovecot-1.1.6-0.1mdv2009.0.x86_64.rpm
 5d869999de273e36c8bda186fb2610a0  2009.0/x86_64/dovecot-devel-1.1.6-0.1mdv2009.0.x86_64.rpm
 9bc71b93dce1b7995039e0cbf7623803  2009.0/x86_64/dovecot-plugins-gssapi-1.1.6-0.1mdv2009.0.x86_64.rpm
 264aaf2cbec7ef2ea7071f14b6bf174a  2009.0/x86_64/dovecot-plugins-ldap-1.1.6-0.1mdv2009.0.x86_64.rpm 
 c2878a5f597b8a9f66605df32cf65a06  2009.0/SRPMS/dovecot-1.1.6-0.1mdv2009.0.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  
 
< Prev   Next >
    
Partner

 

Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
Attackers Can ‘Steal’ Bandwidth From BitTorrent Seeders, Research Finds
Linux Kernel Development Gets Two-Factor Authentication
Hacking cars and traffic lights at Def Con
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2014 Guardian Digital, Inc. All rights reserved.