English | Deutsch | Español | Português
 UserID:
 Passwd:
new user
 About:   Dedicated  | Advanced  | Standard  | Recurring  | No Risk  | Desktop  | Basic  | Single  | Security Seal  | FAQ
  Price/Feature Summary  | Order  | New Vulnerabilities  | Confidentiality  | Vulnerability Search
 Vulnerability   
Search   
    Search 61204 CVE descriptions
and 32582 test descriptions,
access 10,000+ cross references.
Tests   CVE   All  

Test ID:1.3.6.1.4.1.25623.1.0.60675
Category:Ubuntu Local Security Checks
Title:Ubuntu USN-593-1 (dovecot)
Summary:Ubuntu USN-593-1 (dovecot)
Description:
The remote host is missing an update to dovecot
announced via advisory USN-593-1.

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS
Ubuntu 6.10
Ubuntu 7.04
Ubuntu 7.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

Details follow:

It was discovered that the default configuration of dovecot could allow
access to any email files with group mail without verifying that a user
had valid rights. An attacker able to create symlinks in their mail
directory could exploit this to read or delete another user's email.
(CVE-2008-1199)

By default, dovecot passed special characters to the underlying
authentication systems. While Ubuntu releases of dovecot are not known
to be vulnerable, the authentication routine was proactively improved
to avoid potential future problems. (CVE-2008-1218)

Solution:
The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
dovecot-common 1.0.beta3-3ubuntu5.6
dovecot-imapd 1.0.beta3-3ubuntu5.6
dovecot-pop3d 1.0.beta3-3ubuntu5.6

Ubuntu 6.10:
dovecot-common 1.0.rc2-1ubuntu2.3
dovecot-imapd 1.0.rc2-1ubuntu2.3
dovecot-pop3d 1.0.rc2-1ubuntu2.3

Ubuntu 7.04:
dovecot-common 1.0.rc17-1ubuntu2.3
dovecot-imapd 1.0.rc17-1ubuntu2.3
dovecot-pop3d 1.0.rc17-1ubuntu2.3

Ubuntu 7.10:
dovecot-common 1:1.0.5-1ubuntu2.2
dovecot-imapd 1:1.0.5-1ubuntu2.2
dovecot-pop3d 1:1.0.5-1ubuntu2.2

After a standard system upgrade, additional dovecot configuration changes
are needed.

ATTENTION: Due to an unavoidable configuration update, the dovecot
settings in /etc/dovecot/dovecot.conf need to be updated manually.
During the update, a configuration file conflict will be shown.
The default setting mail_extra_groups = mail should be changed to
mail_privileged_group = mail. If your local configuration uses groups
other than mail, you may need to use the new mail_access_groups
setting as well.

http://www.securityspace.com/smysecure/catid.html?in=USN-593-1

Risk factor : High
Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2008-1199
Bugtraq: 20080304 Dovecot mail_extra_groups setting is often used insecurely (Google Search)
http://www.securityfocus.com/archive/1/archive/1/489133/100/0/threaded
http://www.dovecot.org/list/dovecot-news/2008-March/000061.html
Debian Security Information: DSA-1516 (Google Search)
http://www.debian.org/security/2008/dsa-1516
https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00358.html
https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00381.html
http://security.gentoo.org/glsa/glsa-200803-25.xml
http://www.redhat.com/support/errata/RHSA-2008-0297.html
SuSE Security Announcement: SUSE-SR:2008:020 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2008-10/msg00004.html
http://www.ubuntulinux.org/support/documentation/usn/usn-593-1
BugTraq ID: 28092
http://www.securityfocus.com/bid/28092
http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:10739
http://secunia.com/advisories/29226
http://secunia.com/advisories/29385
http://secunia.com/advisories/29396
http://secunia.com/advisories/29557
http://secunia.com/advisories/32151
http://secunia.com/advisories/30342
XForce ISS Database: dovecot-mailextragroups-unauth-access(41009)
http://xforce.iss.net/xforce/xfdb/41009
Common Vulnerability Exposure (CVE) ID: CVE-2008-1218
Bugtraq: 20080312 rPSA-2008-0108-1 dovecot (Google Search)
http://www.securityfocus.com/archive/1/archive/1/489481/100/0/threaded
http://www.milw0rm.com/exploits/5257
http://www.dovecot.org/list/dovecot-news/2008-March/000065.html
http://www.dovecot.org/list/dovecot-news/2008-March/000064.html
http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0108
https://issues.rpath.com/browse/RPL-2341
BugTraq ID: 28181
http://www.securityfocus.com/bid/28181
http://secunia.com/advisories/29295
http://secunia.com/advisories/29364
XForce ISS Database: dovecot-tab-authentication-bypass(41085)
http://xforce.iss.net/xforce/xfdb/41085
CopyrightCopyright (c) 2008 E-Soft Inc. http://www.securityspace.com

This is only one of 32582 vulnerability tests in our test suite. Find out more about running a complete security audit.

To run a free test of this vulnerability against your system, register below.

New User Registration
Email:
UserID:
Passwd:
Please email me your monthly newsletters, informing the latest services, improvements & surveys.
Please email me a vulnerability test announcement whenever a new test is added.
   Privacy
Registered User Login
 
UserID:   
Passwd:  

 Forgot userid or passwd?
Email/Userid:




Home | About Us | Contact Us | Partner Programs | Privacy | Mailing Lists | Abuse
Security Audits | Managed DNS | Network Monitoring | Site Analyzer | Internet Research Reports
Web Probe | Whois

© 1998-2014 E-Soft Inc. All rights reserved.