Startseite ▼ Bookkeeping
Online ▼ Sicherheits
Überprüfungs ▼
Verwaltetes
DNS ▼
Info
Bestellen/Erneuern
FAQ
AUP
Dynamic DNS Clients
Domaine konfigurieren Dyanmic DNS Update Password Netzwerk
Überwachung ▼
Enterprise
Erweiterte
Standard
Gratis Test
FAQ
Preis/Funktionszusammenfassung
Bestellen
Beispiele
Konfigurieren/Status Alarm Profile | |||
Test Kennung: | 1.3.6.1.4.1.25623.1.0.60675 |
Kategorie: | Ubuntu Local Security Checks |
Titel: | Ubuntu USN-593-1 (dovecot) |
Zusammenfassung: | NOSUMMARY |
Beschreibung: | Description: The remote host is missing an update to dovecot announced via advisory USN-593-1. A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 6.10 Ubuntu 7.04 Ubuntu 7.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. Details follow: It was discovered that the default configuration of dovecot could allow access to any email files with group mail without verifying that a user had valid rights. An attacker able to create symlinks in their mail directory could exploit this to read or delete another user's email. (CVE-2008-1199) By default, dovecot passed special characters to the underlying authentication systems. While Ubuntu releases of dovecot are not known to be vulnerable, the authentication routine was proactively improved to avoid potential future problems. (CVE-2008-1218) Solution: The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: dovecot-common 1.0.beta3-3ubuntu5.6 dovecot-imapd 1.0.beta3-3ubuntu5.6 dovecot-pop3d 1.0.beta3-3ubuntu5.6 Ubuntu 6.10: dovecot-common 1.0.rc2-1ubuntu2.3 dovecot-imapd 1.0.rc2-1ubuntu2.3 dovecot-pop3d 1.0.rc2-1ubuntu2.3 Ubuntu 7.04: dovecot-common 1.0.rc17-1ubuntu2.3 dovecot-imapd 1.0.rc17-1ubuntu2.3 dovecot-pop3d 1.0.rc17-1ubuntu2.3 Ubuntu 7.10: dovecot-common 1:1.0.5-1ubuntu2.2 dovecot-imapd 1:1.0.5-1ubuntu2.2 dovecot-pop3d 1:1.0.5-1ubuntu2.2 After a standard system upgrade, additional dovecot configuration changes are needed. ATTENTION: Due to an unavoidable configuration update, the dovecot settings in /etc/dovecot/dovecot.conf need to be updated manually. During the update, a configuration file conflict will be shown. The default setting mail_extra_groups = mail should be changed to mail_privileged_group = mail. If your local configuration uses groups other than mail, you may need to use the new mail_access_groups setting as well. http://www.securityspace.com/smysecure/catid.html?in=USN-593-1 Risk factor : High CVSS Score: 6.8 |
Querverweis: |
Common Vulnerability Exposure (CVE) ID: CVE-2008-1199 BugTraq ID: 28092 http://www.securityfocus.com/bid/28092 Bugtraq: 20080304 Dovecot mail_extra_groups setting is often used insecurely (Google Search) http://www.securityfocus.com/archive/1/489133/100/0/threaded Debian Security Information: DSA-1516 (Google Search) http://www.debian.org/security/2008/dsa-1516 https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00358.html https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00381.html http://security.gentoo.org/glsa/glsa-200803-25.xml http://www.dovecot.org/list/dovecot-news/2008-March/000061.html https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10739 http://www.redhat.com/support/errata/RHSA-2008-0297.html http://secunia.com/advisories/29226 http://secunia.com/advisories/29385 http://secunia.com/advisories/29396 http://secunia.com/advisories/29557 http://secunia.com/advisories/30342 http://secunia.com/advisories/32151 SuSE Security Announcement: SUSE-SR:2008:020 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2008-10/msg00004.html https://usn.ubuntu.com/593-1/ XForce ISS Database: dovecot-mailextragroups-unauth-access(41009) https://exchange.xforce.ibmcloud.com/vulnerabilities/41009 Common Vulnerability Exposure (CVE) ID: CVE-2008-1218 BugTraq ID: 28181 http://www.securityfocus.com/bid/28181 Bugtraq: 20080312 rPSA-2008-0108-1 dovecot (Google Search) http://www.securityfocus.com/archive/1/489481/100/0/threaded https://www.exploit-db.com/exploits/5257 http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0108 http://www.dovecot.org/list/dovecot-news/2008-March/000064.html http://www.dovecot.org/list/dovecot-news/2008-March/000065.html http://secunia.com/advisories/29295 http://secunia.com/advisories/29364 XForce ISS Database: dovecot-tab-authentication-bypass(41085) https://exchange.xforce.ibmcloud.com/vulnerabilities/41085 |
Copyright | Copyright (c) 2008 E-Soft Inc. http://www.securityspace.com |
Dies ist nur einer von 99761 Anfälligkeitstests in unserem Testpaket. Finden Sie mehr über unsere vollständigen Sicherheitsüberprüfungen heraus. Um einen gratis Test für diese Anfälligkeit auf Ihrem System durchlaufen zu lassen, registrieren Sie sich bitte unten. |