Ubuntu Local Security Checks : Ubuntu USN-593-1 (dovecot)

Price/Feature Summary | Order | New Vulnerabilities | Confidentiality | Vulnerability Search

Vulnerability Search		Search 61204 CVE descriptions and 32582 test descriptions, access 10,000+ cross references.
	Tests CVE All

Test ID: 1.3.6.1.4.1.25623.1.0.60675

Category: Ubuntu Local Security Checks

Title: Ubuntu USN-593-1 (dovecot)

Summary: Ubuntu USN-593-1 (dovecot)

Description:
The remote host is missing an update to dovecot
announced via advisory USN-593-1.

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS
Ubuntu 6.10
Ubuntu 7.04
Ubuntu 7.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

Details follow:

It was discovered that the default configuration of dovecot could allow
access to any email files with group mail without verifying that a user
had valid rights. An attacker able to create symlinks in their mail
directory could exploit this to read or delete another user's email.
(CVE-2008-1199)

By default, dovecot passed special characters to the underlying
authentication systems. While Ubuntu releases of dovecot are not known
to be vulnerable, the authentication routine was proactively improved
to avoid potential future problems. (CVE-2008-1218)

Solution:
The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
dovecot-common 1.0.beta3-3ubuntu5.6
dovecot-imapd 1.0.beta3-3ubuntu5.6
dovecot-pop3d 1.0.beta3-3ubuntu5.6

Ubuntu 6.10:
dovecot-common 1.0.rc2-1ubuntu2.3
dovecot-imapd 1.0.rc2-1ubuntu2.3
dovecot-pop3d 1.0.rc2-1ubuntu2.3

Ubuntu 7.04:
dovecot-common 1.0.rc17-1ubuntu2.3
dovecot-imapd 1.0.rc17-1ubuntu2.3
dovecot-pop3d 1.0.rc17-1ubuntu2.3

Ubuntu 7.10:
dovecot-common 1:1.0.5-1ubuntu2.2
dovecot-imapd 1:1.0.5-1ubuntu2.2
dovecot-pop3d 1:1.0.5-1ubuntu2.2

After a standard system upgrade, additional dovecot configuration changes
are needed.

ATTENTION: Due to an unavoidable configuration update, the dovecot
settings in /etc/dovecot/dovecot.conf need to be updated manually.
During the update, a configuration file conflict will be shown.
The default setting mail_extra_groups = mail should be changed to
mail_privileged_group = mail. If your local configuration uses groups
other than mail, you may need to use the new mail_access_groups
setting as well.

http://www.securityspace.com/smysecure/catid.html?in=USN-593-1

Risk factor : High

Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2008-1199
Bugtraq: 20080304 Dovecot mail_extra_groups setting is often used insecurely (Google Search)
http://www.securityfocus.com/archive/1/archive/1/489133/100/0/threaded
http://www.dovecot.org/list/dovecot-news/2008-March/000061.html
Debian Security Information: DSA-1516 (Google Search)
http://www.debian.org/security/2008/dsa-1516
https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00358.html
https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00381.html
http://security.gentoo.org/glsa/glsa-200803-25.xml
http://www.redhat.com/support/errata/RHSA-2008-0297.html
SuSE Security Announcement: SUSE-SR:2008:020 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2008-10/msg00004.html
http://www.ubuntulinux.org/support/documentation/usn/usn-593-1
BugTraq ID: 28092
http://www.securityfocus.com/bid/28092
http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:10739
http://secunia.com/advisories/29226
http://secunia.com/advisories/29385
http://secunia.com/advisories/29396
http://secunia.com/advisories/29557
http://secunia.com/advisories/32151
http://secunia.com/advisories/30342
XForce ISS Database: dovecot-mailextragroups-unauth-access(41009)
http://xforce.iss.net/xforce/xfdb/41009
Common Vulnerability Exposure (CVE) ID: CVE-2008-1218
Bugtraq: 20080312 rPSA-2008-0108-1 dovecot (Google Search)
http://www.securityfocus.com/archive/1/archive/1/489481/100/0/threaded
http://www.milw0rm.com/exploits/5257
http://www.dovecot.org/list/dovecot-news/2008-March/000065.html
http://www.dovecot.org/list/dovecot-news/2008-March/000064.html
http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0108
https://issues.rpath.com/browse/RPL-2341
BugTraq ID: 28181
http://www.securityfocus.com/bid/28181
http://secunia.com/advisories/29295
http://secunia.com/advisories/29364
XForce ISS Database: dovecot-tab-authentication-bypass(41085)
http://xforce.iss.net/xforce/xfdb/41085

Copyright Copyright (c) 2008 E-Soft Inc. http://www.securityspace.com

This is only one of 32582 vulnerability tests in our test suite. Find out more about running a complete security audit.
To run a free test of this vulnerability against your system, register below.

New User Registration
Email:

UserID:

Passwd:

Please email me your monthly newsletters, informing the latest services, improvements & surveys.

Please email me a vulnerability test announcement whenever a new test is added.

Privacy

Registered User Login

UserID:

Passwd:

Forgot userid or passwd?

Email/Userid:

Test ID:	1.3.6.1.4.1.25623.1.0.60675
Category:	Ubuntu Local Security Checks
Title:	Ubuntu USN-593-1 (dovecot)
Summary:	Ubuntu USN-593-1 (dovecot)
Description:	The remote host is missing an update to dovecot announced via advisory USN-593-1. A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 6.10 Ubuntu 7.04 Ubuntu 7.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. Details follow: It was discovered that the default configuration of dovecot could allow access to any email files with group mail without verifying that a user had valid rights. An attacker able to create symlinks in their mail directory could exploit this to read or delete another user's email. (CVE-2008-1199) By default, dovecot passed special characters to the underlying authentication systems. While Ubuntu releases of dovecot are not known to be vulnerable, the authentication routine was proactively improved to avoid potential future problems. (CVE-2008-1218) Solution: The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: dovecot-common 1.0.beta3-3ubuntu5.6 dovecot-imapd 1.0.beta3-3ubuntu5.6 dovecot-pop3d 1.0.beta3-3ubuntu5.6 Ubuntu 6.10: dovecot-common 1.0.rc2-1ubuntu2.3 dovecot-imapd 1.0.rc2-1ubuntu2.3 dovecot-pop3d 1.0.rc2-1ubuntu2.3 Ubuntu 7.04: dovecot-common 1.0.rc17-1ubuntu2.3 dovecot-imapd 1.0.rc17-1ubuntu2.3 dovecot-pop3d 1.0.rc17-1ubuntu2.3 Ubuntu 7.10: dovecot-common 1:1.0.5-1ubuntu2.2 dovecot-imapd 1:1.0.5-1ubuntu2.2 dovecot-pop3d 1:1.0.5-1ubuntu2.2 After a standard system upgrade, additional dovecot configuration changes are needed. ATTENTION: Due to an unavoidable configuration update, the dovecot settings in /etc/dovecot/dovecot.conf need to be updated manually. During the update, a configuration file conflict will be shown. The default setting mail_extra_groups = mail should be changed to mail_privileged_group = mail. If your local configuration uses groups other than mail, you may need to use the new mail_access_groups setting as well. http://www.securityspace.com/smysecure/catid.html?in=USN-593-1 Risk factor : High
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2008-1199 Bugtraq: 20080304 Dovecot mail_extra_groups setting is often used insecurely (Google Search) http://www.securityfocus.com/archive/1/archive/1/489133/100/0/threaded http://www.dovecot.org/list/dovecot-news/2008-March/000061.html Debian Security Information: DSA-1516 (Google Search) http://www.debian.org/security/2008/dsa-1516 https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00358.html https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00381.html http://security.gentoo.org/glsa/glsa-200803-25.xml http://www.redhat.com/support/errata/RHSA-2008-0297.html SuSE Security Announcement: SUSE-SR:2008:020 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2008-10/msg00004.html http://www.ubuntulinux.org/support/documentation/usn/usn-593-1 BugTraq ID: 28092 http://www.securityfocus.com/bid/28092 http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:10739 http://secunia.com/advisories/29226 http://secunia.com/advisories/29385 http://secunia.com/advisories/29396 http://secunia.com/advisories/29557 http://secunia.com/advisories/32151 http://secunia.com/advisories/30342 XForce ISS Database: dovecot-mailextragroups-unauth-access(41009) http://xforce.iss.net/xforce/xfdb/41009 Common Vulnerability Exposure (CVE) ID: CVE-2008-1218 Bugtraq: 20080312 rPSA-2008-0108-1 dovecot (Google Search) http://www.securityfocus.com/archive/1/archive/1/489481/100/0/threaded http://www.milw0rm.com/exploits/5257 http://www.dovecot.org/list/dovecot-news/2008-March/000065.html http://www.dovecot.org/list/dovecot-news/2008-March/000064.html http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0108 https://issues.rpath.com/browse/RPL-2341 BugTraq ID: 28181 http://www.securityfocus.com/bid/28181 http://secunia.com/advisories/29295 http://secunia.com/advisories/29364 XForce ISS Database: dovecot-tab-authentication-bypass(41085) http://xforce.iss.net/xforce/xfdb/41085
Copyright	Copyright (c) 2008 E-Soft Inc. http://www.securityspace.com