English | Deutsch | Español
 
Home ▼
Home About Us Contact Us Privacy Partner Programs Testimonials In Press Mailing Lists Abuse Developer APIs
Bookkeeping
Online ▼
Home Free Trial FAQ
Open/Create Company File Accept an Invite Order/Renew
Security
Audits ▼
Home Dedicated audits Advanced audits Standard audits Recurring audits No Risk audits Desktop audits Basic audit Security Seal FAQ Price/Feature Summary Order New Tests All Tests Confidentiality Vulnerability search Run Audit Scheduler IP Permissions Audit Configuration Editor Scan Queue Reminder Notification Schedule Seal Reports Reports Style Editor
Managed
DNS ▼
About Order FAQ Acceptable Use Policy Dynamic DNS Clients
Configure Domains Dyanmic DNS Update Password
Network
Monitor ▼
Enterprise Package Advanced Package Standard Package Free Trial FAQ Price/Feature Summary Order/Renew Examples
Configure/Status Alert Profiles
Research
Reports ▼
Home FAQ Glossary Archive
 Login/Register 
 
 Vulnerability   
Search   		     Search 324607 CVE descriptions
and 146377 test descriptions,
access 10,000+ cross references.
Tests   CVE   All  

Test ID:1.3.6.1.4.1.25623.1.0.60675
Category:Ubuntu Local Security Checks
Title:Ubuntu USN-593-1 (dovecot)
Summary:NOSUMMARY
Description:Description:

The remote host is missing an update to dovecot
announced via advisory USN-593-1.

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS
Ubuntu 6.10
Ubuntu 7.04
Ubuntu 7.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

Details follow:

It was discovered that the default configuration of dovecot could allow
access to any email files with group mail without verifying that a user
had valid rights. An attacker able to create symlinks in their mail
directory could exploit this to read or delete another user's email.
(CVE-2008-1199)

By default, dovecot passed special characters to the underlying
authentication systems. While Ubuntu releases of dovecot are not known
to be vulnerable, the authentication routine was proactively improved
to avoid potential future problems. (CVE-2008-1218)

Solution:
The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
dovecot-common 1.0.beta3-3ubuntu5.6
dovecot-imapd 1.0.beta3-3ubuntu5.6
dovecot-pop3d 1.0.beta3-3ubuntu5.6

Ubuntu 6.10:
dovecot-common 1.0.rc2-1ubuntu2.3
dovecot-imapd 1.0.rc2-1ubuntu2.3
dovecot-pop3d 1.0.rc2-1ubuntu2.3

Ubuntu 7.04:
dovecot-common 1.0.rc17-1ubuntu2.3
dovecot-imapd 1.0.rc17-1ubuntu2.3
dovecot-pop3d 1.0.rc17-1ubuntu2.3

Ubuntu 7.10:
dovecot-common 1:1.0.5-1ubuntu2.2
dovecot-imapd 1:1.0.5-1ubuntu2.2
dovecot-pop3d 1:1.0.5-1ubuntu2.2

After a standard system upgrade, additional dovecot configuration changes
are needed.

ATTENTION: Due to an unavoidable configuration update, the dovecot
settings in /etc/dovecot/dovecot.conf need to be updated manually.
During the update, a configuration file conflict will be shown.
The default setting mail_extra_groups = mail should be changed to
mail_privileged_group = mail. If your local configuration uses groups
other than mail, you may need to use the new mail_access_groups
setting as well.

http://www.securityspace.com/smysecure/catid.html?in=USN-593-1

Risk factor : High

CVSS Score:
6.8

Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2008-1199
BugTraq ID: 28092
http://www.securityfocus.com/bid/28092
Bugtraq: 20080304 Dovecot mail_extra_groups setting is often used insecurely (Google Search)
http://www.securityfocus.com/archive/1/489133/100/0/threaded
Debian Security Information: DSA-1516 (Google Search)
http://www.debian.org/security/2008/dsa-1516
https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00358.html
https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00381.html
http://security.gentoo.org/glsa/glsa-200803-25.xml
http://www.dovecot.org/list/dovecot-news/2008-March/000061.html
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10739
http://www.redhat.com/support/errata/RHSA-2008-0297.html
http://secunia.com/advisories/29226
http://secunia.com/advisories/29385
http://secunia.com/advisories/29396
http://secunia.com/advisories/29557
http://secunia.com/advisories/30342
http://secunia.com/advisories/32151
SuSE Security Announcement: SUSE-SR:2008:020 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2008-10/msg00004.html
https://usn.ubuntu.com/593-1/
XForce ISS Database: dovecot-mailextragroups-unauth-access(41009)
https://exchange.xforce.ibmcloud.com/vulnerabilities/41009
Common Vulnerability Exposure (CVE) ID: CVE-2008-1218
BugTraq ID: 28181
http://www.securityfocus.com/bid/28181
Bugtraq: 20080312 rPSA-2008-0108-1 dovecot (Google Search)
http://www.securityfocus.com/archive/1/489481/100/0/threaded
https://www.exploit-db.com/exploits/5257
http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0108
http://www.dovecot.org/list/dovecot-news/2008-March/000064.html
http://www.dovecot.org/list/dovecot-news/2008-March/000065.html
http://secunia.com/advisories/29295
http://secunia.com/advisories/29364
XForce ISS Database: dovecot-tab-authentication-bypass(41085)
https://exchange.xforce.ibmcloud.com/vulnerabilities/41085
CopyrightCopyright (c) 2008 E-Soft Inc. http://www.securityspace.com

This is only one of 146377 vulnerability tests in our test suite. Find out more about running a complete security audit.

To run a free test of this vulnerability against your system, register below.



© 1998-2025 E-Soft Inc. All rights reserved.