LinuxSecurity.com
Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Advisory Watch: November 21st, 2014
Linux Security Week: November 17th, 2014
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
Ubuntu: Dovecot vulnerabilities Print E-mail
User Rating:      How can I rate this item?
Posted by Benjamin D. Thomas   
Ubuntu It was discovered that the ACL plugin in Dovecot would incorrectly handle negative access rights. An attacker could exploit this flaw to access the Dovecot server, bypassing the indended access restrictions. This only affected Ubuntu 8.04 LTS. (CVE-2008-4577) It was discovered that the ManageSieve service in Dovecot incorrectly handled ".." in script names. A remote attacker could exploit this to read and modify arbitrary sieve files on the server. This only affected Ubuntu 8.10. (CVE-2008-5301) It was discovered that the Sieve plugin in Dovecot incorrectly handled certain sieve scripts. An authenticated user could exploit this with a crafted sieve script to cause a denial of service or possibly execute arbitrary code. (CVE-2009-2632, CVE-2009-3235)
===========================================================
Ubuntu Security Notice USN-838-1         September 28, 2009
dovecot vulnerabilities
CVE-2008-4577, CVE-2008-5301, CVE-2009-2632, CVE-2009-3235
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 8.04 LTS
Ubuntu 8.10
Ubuntu 9.04

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 8.04 LTS:
  dovecot-common                  1:1.0.10-1ubuntu5.2

Ubuntu 8.10:
  dovecot-common                  1:1.1.4-0ubuntu1.3

Ubuntu 9.04:
  dovecot-common                  1:1.1.11-0ubuntu4.1

In general, a standard system upgrade is sufficient to effect the
necessary changes.

Details follow:

It was discovered that the ACL plugin in Dovecot would incorrectly handle
negative access rights. An attacker could exploit this flaw to access the
Dovecot server, bypassing the indended access restrictions. This only
affected Ubuntu 8.04 LTS. (CVE-2008-4577)

It was discovered that the ManageSieve service in Dovecot incorrectly
handled ".." in script names. A remote attacker could exploit this to read
and modify arbitrary sieve files on the server. This only affected Ubuntu
8.10. (CVE-2008-5301)

It was discovered that the Sieve plugin in Dovecot incorrectly handled
certain sieve scripts. An authenticated user could exploit this with a
crafted sieve script to cause a denial of service or possibly execute
arbitrary code. (CVE-2009-2632, CVE-2009-3235)


Updated packages for Ubuntu 8.04 LTS:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_1.0.10-1ubuntu5.2.diff.gz
      Size/MD5:   407785 8bab610c8eaa3d584251f43f589458ef
    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_1.0.10-1ubuntu5.2.dsc
      Size/MD5:     1295 381a3267d0258419fee8f054ee5bcd13
    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_1.0.10.orig.tar.gz
      Size/MD5:  1797790 c050fa2a7dae8984d432595e3e8183e1

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-common_1.0.10-1ubuntu5.2_amd64.deb
      Size/MD5:  1838902 c0bd69b04f49b20bdbe7e2c830660e04
    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-dev_1.0.10-1ubuntu5.2_amd64.deb
      Size/MD5:   387834 b6a474d722d36ca98e2790954304d249
    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-imapd_1.0.10-1ubuntu5.2_amd64.deb
      Size/MD5:   662814 ab6309638125fabe5752177671b3f8b3
    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-pop3d_1.0.10-1ubuntu5.2_amd64.deb
      Size/MD5:   625852 ce40fd95a9dc4bcc60c1b0c473a5e117

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-common_1.0.10-1ubuntu5.2_i386.deb
      Size/MD5:  1695832 b1c5df762f681ee1c6ab3a9903ff367a
    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-dev_1.0.10-1ubuntu5.2_i386.deb
      Size/MD5:   387848 d00535e76b28f9622ea77c36c69b808d
    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-imapd_1.0.10-1ubuntu5.2_i386.deb
      Size/MD5:   629748 61cb4fda4aa29fce1bf326522bbb2dda
    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-pop3d_1.0.10-1ubuntu5.2_i386.deb
      Size/MD5:   596084 d97fb54aba0f43f014f9e1dfd6404456

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-common_1.0.10-1ubuntu5.2_lpia.deb
      Size/MD5:  1689932 e20d72de31679d4698caaa2d3fd92ebb
    http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-dev_1.0.10-1ubuntu5.2_lpia.deb
      Size/MD5:   387846 34903b7cdb220e85978c6483c7f09848
    http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-imapd_1.0.10-1ubuntu5.2_lpia.deb
      Size/MD5:   630210 7238a78a55f787251facd75cc3a15539
    http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-pop3d_1.0.10-1ubuntu5.2_lpia.deb
      Size/MD5:   596564 f969a0ee5a2de65dee4e81de9c103622

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-common_1.0.10-1ubuntu5.2_powerpc.deb
      Size/MD5:  1859284 96619941551bb690e56d6604972370da
    http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-dev_1.0.10-1ubuntu5.2_powerpc.deb
      Size/MD5:   387880 cf175dd90cf5b677f55106c4e680ed9b
    http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-imapd_1.0.10-1ubuntu5.2_powerpc.deb
      Size/MD5:   669752 2b3b052e0d9703b41886c57793e7d1d6
    http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-pop3d_1.0.10-1ubuntu5.2_powerpc.deb
      Size/MD5:   633286 d87398d7e70d3eaf53e2c6fdd8652c5b

  sparc architecture (Sun SPARC/UltraSPARC):

    http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-common_1.0.10-1ubuntu5.2_sparc.deb
      Size/MD5:  1688040 38f3316086f8e23d3894a3391d5e1a4d
    http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-dev_1.0.10-1ubuntu5.2_sparc.deb
      Size/MD5:   387864 ddb730f73fa997e160fc5cecb33849fa
    http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-imapd_1.0.10-1ubuntu5.2_sparc.deb
      Size/MD5:   626886 6f8101225f556210c487c1b893aa639e
    http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-pop3d_1.0.10-1ubuntu5.2_sparc.deb
      Size/MD5:   593772 ea19773a3574702074ae05e30bdb248a

Updated packages for Ubuntu 8.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_1.1.4-0ubuntu1.3.diff.gz
      Size/MD5:   928070 e0aa195d3428177fe9411548751772bd
    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_1.1.4-0ubuntu1.3.dsc
      Size/MD5:     1631 9c08ffd5652cfb1773f44e124d13ca61
    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_1.1.4.orig.tar.gz
      Size/MD5:  2314155 0050dd609cb456c8e52565a85373df28

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-common_1.1.4-0ubuntu1.3_amd64.deb
      Size/MD5:  3741952 0b0cfe3678735916771b36e5ec160e06
    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-dev_1.1.4-0ubuntu1.3_amd64.deb
      Size/MD5:   550040 1917dfa8998eb7ca66ca3976bda173e1
    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-imapd_1.1.4-0ubuntu1.3_amd64.deb
      Size/MD5:   950536 17d646723188b605fa3a3049498fe4ff
    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-pop3d_1.1.4-0ubuntu1.3_amd64.deb
      Size/MD5:   905584 f387f84340a9504321524219474fa147

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-common_1.1.4-0ubuntu1.3_i386.deb
      Size/MD5:  3517356 7e0152635e337f3270880854fd6c9915
    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-dev_1.1.4-0ubuntu1.3_i386.deb
      Size/MD5:   550052 13bf7c6602410ef8f36e12a0ad9acfa2
    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-imapd_1.1.4-0ubuntu1.3_i386.deb
      Size/MD5:   921792 417d56c7b938c795e55f49900e915b3b
    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-pop3d_1.1.4-0ubuntu1.3_i386.deb
      Size/MD5:   875792 09ff4ebec07209aa3a6c8e4948a9fdef

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-common_1.1.4-0ubuntu1.3_lpia.deb
      Size/MD5:  3462178 1069f6a2dba50c0ca051f6729d5b690c
    http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-dev_1.1.4-0ubuntu1.3_lpia.deb
      Size/MD5:   550044 ff2f07f9bf2e2790dfa3a0bb179f9818
    http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-imapd_1.1.4-0ubuntu1.3_lpia.deb
      Size/MD5:   913898 a9b186e1376c95035149e03cb6304f06
    http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-pop3d_1.1.4-0ubuntu1.3_lpia.deb
      Size/MD5:   869782 3100c863e91d39871bbef95eb90fc5d2

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-common_1.1.4-0ubuntu1.3_powerpc.deb
      Size/MD5:  3809458 549f771da3cc47778cf39cd136fb31ea
    http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-dev_1.1.4-0ubuntu1.3_powerpc.deb
      Size/MD5:   550068 a7684b6f8de2bdc0779e3f1909a71ddd
    http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-imapd_1.1.4-0ubuntu1.3_powerpc.deb
      Size/MD5:   967808 ac60bc51b60709e87c16e1a89b4d86a4
    http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-pop3d_1.1.4-0ubuntu1.3_powerpc.deb
      Size/MD5:   917878 1a97248a18f853868f79a647baddadf9

  sparc architecture (Sun SPARC/UltraSPARC):

    http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-common_1.1.4-0ubuntu1.3_sparc.deb
      Size/MD5:  3504892 2f9769dba2217da279734406fc4f7598
    http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-dev_1.1.4-0ubuntu1.3_sparc.deb
      Size/MD5:   550104 785e41269e14f2dc8259b4c50d7521f5
    http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-imapd_1.1.4-0ubuntu1.3_sparc.deb
      Size/MD5:   919240 32d5e97daaac4a485a73e1c2deb4b12a
    http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-pop3d_1.1.4-0ubuntu1.3_sparc.deb
      Size/MD5:   872784 ba89567df97c5852802dee8664592440

Updated packages for Ubuntu 9.04:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_1.1.11-0ubuntu4.1.diff.gz
      Size/MD5:   933389 e69b949ee26b6f2d59549c14f473ff36
    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_1.1.11-0ubuntu4.1.dsc
      Size/MD5:     1655 55553d872f13646ee67923675ba5aeca
    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_1.1.11.orig.tar.gz
      Size/MD5:  2362415 c973eb41aca79fb16630a16f0d84f765

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-postfix_1.1.11-0ubuntu4.1_all.deb
      Size/MD5:    22572 dc5219ed120e1541596d327ea3c5bb25

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-common_1.1.11-0ubuntu4.1_amd64.deb
      Size/MD5:  3708084 016223dc6893ecf7e87d269f49125e58
    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-dev_1.1.11-0ubuntu4.1_amd64.deb
      Size/MD5:   565074 1d847edeba4f72d6bc849af74facb327
    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-imapd_1.1.11-0ubuntu4.1_amd64.deb
      Size/MD5:   969828 7f4fae28f42007ddc221cb17a4698b46
    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-pop3d_1.1.11-0ubuntu4.1_amd64.deb
      Size/MD5:   925688 079c721b1076d1e0fbe207250acaac2f

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-common_1.1.11-0ubuntu4.1_i386.deb
      Size/MD5:  3489560 4891c8aaa08191613a910abca4004807
    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-dev_1.1.11-0ubuntu4.1_i386.deb
      Size/MD5:   565088 205baabd1480d8dc192ad8664806d79f
    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-imapd_1.1.11-0ubuntu4.1_i386.deb
      Size/MD5:   939976 51b85c21d6985a0179ae400f150bbc43
    http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-pop3d_1.1.11-0ubuntu4.1_i386.deb
      Size/MD5:   896494 c509b3e8e4f33a7b89b09fe898aa0a26

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-common_1.1.11-0ubuntu4.1_lpia.deb
      Size/MD5:  3438158 00fd839575485921909b33205279f434
    http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-dev_1.1.11-0ubuntu4.1_lpia.deb
      Size/MD5:   565062 3f97b5355509275f1e895a2f8f2548b1
    http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-imapd_1.1.11-0ubuntu4.1_lpia.deb
      Size/MD5:   932192 69836d9eb88460c42f5fdea61a6e70aa
    http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-pop3d_1.1.11-0ubuntu4.1_lpia.deb
      Size/MD5:   890114 c23e4311d013a7416392a2c2c28c2144

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-common_1.1.11-0ubuntu4.1_powerpc.deb
      Size/MD5:  3780660 bab41c6fcbcdf7e2f39d32f27e090ec3
    http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-dev_1.1.11-0ubuntu4.1_powerpc.deb
      Size/MD5:   565124 b3d5cc8886c6be0b4c538c3204cb6cef
    http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-imapd_1.1.11-0ubuntu4.1_powerpc.deb
      Size/MD5:   987250 7a018b6c36747bde9d1cff6eb79a7a5d
    http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-pop3d_1.1.11-0ubuntu4.1_powerpc.deb
      Size/MD5:   938730 c3a8c128308f0b1212300a0a2121ca43

  sparc architecture (Sun SPARC/UltraSPARC):

    http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-common_1.1.11-0ubuntu4.1_sparc.deb
      Size/MD5:  3473282 d20e674b6c5fff91f20a75182b836664
    http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-dev_1.1.11-0ubuntu4.1_sparc.deb
      Size/MD5:   565124 d9abbe6098367fbdb0cb75c58197edab
    http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-imapd_1.1.11-0ubuntu4.1_sparc.deb
      Size/MD5:   936990 62c55214cbb59c52e6df64a599135b28
    http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-pop3d_1.1.11-0ubuntu4.1_sparc.deb
      Size/MD5:   893462 c613a178367b122aa0a4ef525f9f55e8




 
< Prev   Next >
    
Partner

 

Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
How to weed out the next Heartbleed bug: ENISA details crypto worries
Attackers Using Compromised Web Plug-Ins in CryptoPHP Blackhat SEO Campaign
Finally, a New Clue to Solve the CIA’s Mysterious Kryptos Sculpture
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2014 Guardian Digital, Inc. All rights reserved.