Search This Blog

Tuesday, August 28, 2007

[SECURITY] [DSA 1359-1] New dovecot packages fix directory traversal

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA 1359-1 security@debian.org
http://www.debian.org/security/

Steve Kemp
August 28th, 2007

http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package : dovecot
Vulnerability : directory traversal
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2007-2231


It was discovered that dovecot, a secure mail server that supports mbox
and maildir mailboxes, when configured to use non-system-user spools
and compressed folders, may allow directory traversal in mailbox names.

For the stable distribution (etch), this problem has been fixed in
version 1.0.rc15-2etch1.

For the old stable distribution (sarge), this problem was not present.

For the unstable distribution this problem with be fixed soon.

We recommend that you upgrade your dovecot package.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 4.0 alias etch
- --------------------------------

Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

http://security.debian.org/pool/updates/main/d/dovecot/dovecot_1.0.rc15-2etch1.dsc

Size/MD5 checksum: 1007 cde4bffef0b1c78324bc8adc6354eaa4

http://security.debian.org/pool/updates/main/d/dovecot/dovecot_1.0.rc15.orig.tar.gz

Size/MD5 checksum: 1463069 26f3d2b075856b1b1d180146363819e6

http://security.debian.org/pool/updates/main/d/dovecot/dovecot_1.0.rc15-2etch1.diff.gz

Size/MD5 checksum: 94823 fbf56611ccca44cee2a4663c8fbb56c0

alpha architecture (DEC Alpha)

http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch1_alpha.deb

Size/MD5 checksum: 618818 3b125c8d36e45fede3d73464a5e7f12a

http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch1_alpha.deb

Size/MD5 checksum: 1373836 97c909a2774519f3d04a33c74212cb05

http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch1_alpha.deb

Size/MD5 checksum: 580708 d840ccd638850f72014e89641fbe9569

amd64 architecture (AMD x86_64 (AMD64))

http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch1_amd64.deb

Size/MD5 checksum: 534118 8869870afff4eb25559457faece371d4

http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch1_amd64.deb

Size/MD5 checksum: 568180 ebf3cfcb5343f48379ef14989a9482ef

http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch1_amd64.deb

Size/MD5 checksum: 1224650 79fbf3019551461c68197a5e5f6a6620

arm architecture (ARM)

http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch1_arm.deb

Size/MD5 checksum: 1116470 a3774a96d2daf2534613cd75e9044726

http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch1_arm.deb

Size/MD5 checksum: 503858 45c610525a211f80462ee8a30b997b98

http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch1_arm.deb

Size/MD5 checksum: 534534 e7af01554616f50b38b63e76a0035402

hppa architecture (HP PA RISC)

http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch1_hppa.deb

Size/MD5 checksum: 1293812 b77e446a414f88c05aa073c663e1aff3

http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch1_hppa.deb

Size/MD5 checksum: 596290 207bcda07cad9d263b4543c87788553d

http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch1_hppa.deb

Size/MD5 checksum: 559686 bab920cd7543cfaea2a76e03cc087d51

i386 architecture (Intel ia32)

http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch1_i386.deb

Size/MD5 checksum: 1127680 80fab6db53d353058b801e5ad42cd305

http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch1_i386.deb

Size/MD5 checksum: 511940 b773c45daa6483d02af9f4f702a538f7

http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch1_i386.deb

Size/MD5 checksum: 544082 d4685011b8c8359f849a2fc3f65cb0b3

ia64 architecture (Intel ia64)

http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch1_ia64.deb

Size/MD5 checksum: 789702 84fb674f3f568db180c41cfb21088d5f

http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch1_ia64.deb

Size/MD5 checksum: 1694430 e4c5c30e65312e92ec151d55f308c473

http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch1_ia64.deb

Size/MD5 checksum: 733296 4b718887ebdcc88600999e0270e12ec0

mips architecture (MIPS (Big Endian))

http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch1_mips.deb

Size/MD5 checksum: 593030 1af3fc78abbcf4f0c9aece1fad08b624

http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch1_mips.deb

Size/MD5 checksum: 557018 3bcd83e867f03d1dfac558f1df1a7ca5

http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch1_mips.deb

Size/MD5 checksum: 1258216 833f0f974dfe83db4d3cab0351f4c33b

mipsel architecture (MIPS (Little Endian))

http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch1_mipsel.deb

Size/MD5 checksum: 1263156 b8c3335d051c0be6b2923f5e939594cd

http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch1_mipsel.deb

Size/MD5 checksum: 592544 61b1b479bb89219e9493c8140913ff07

http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch1_mipsel.deb

Size/MD5 checksum: 556560 67fd4d0ba283209202c0b4564a2ae74a

s390 architecture (IBM S/390)

http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch1_s390.deb

Size/MD5 checksum: 1284486 5b39d3b4db4ab8f4360406037e118a88

http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch1_s390.deb

Size/MD5 checksum: 592810 7361ea663e14012502c9821e9d2fdf70

http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch1_s390.deb

Size/MD5 checksum: 557544 1dce29ac718f481894db452aef8c783d

sparc architecture (Sun SPARC/UltraSPARC)

http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch1_sparc.deb

Size/MD5 checksum: 1103380 47e7f2cf8d8276ee941ab7332ad356ab

http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch1_sparc.deb

Size/MD5 checksum: 531158 41e6f8e91ddc0bda4089aa1e1ac97432

http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch1_sparc.deb

Size/MD5 checksum: 499596 4bdaaa9e12ef03ee5800c1b291970479


These files will probably be moved into the stable distribution on
its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFG1GIhwM/Gs81MDZ0RAu2+AKClyc+Hp8T8rfMqjq5UaMnBYLo1BgCg3RHL
qAHaDowybNaXwDlnofswnAg=
=KY3M
-----END PGP SIGNATURE-----


--
To UNSUBSCRIBE, email to debian-security-announce-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

No comments: