Test ID:	1.3.6.1.4.1.25623.1.0.840335
Category:	Ubuntu Local Security Checks
Title:	Ubuntu: Security Advisory (USN-593-1)
Summary:	The remote host is missing an update for the 'dovecot' package(s) announced via the USN-593-1 advisory.
Description:	Summary: The remote host is missing an update for the 'dovecot' package(s) announced via the USN-593-1 advisory. Vulnerability Insight: It was discovered that the default configuration of dovecot could allow access to any email files with group 'mail' without verifying that a user had valid rights. An attacker able to create symlinks in their mail directory could exploit this to read or delete another user's email. (CVE-2008-1199) By default, dovecot passed special characters to the underlying authentication systems. While Ubuntu releases of dovecot are not known to be vulnerable, the authentication routine was proactively improved to avoid potential future problems. (CVE-2008-1218) Affected Software/OS: 'dovecot' package(s) on Ubuntu 6.06, Ubuntu 6.10, Ubuntu 7.04, Ubuntu 7.10. Solution: Please install the updated package(s). CVSS Score: 6.8 CVSS Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2008-1199 BugTraq ID: 28092 http://www.securityfocus.com/bid/28092 Bugtraq: 20080304 Dovecot mail_extra_groups setting is often used insecurely (Google Search) http://www.securityfocus.com/archive/1/489133/100/0/threaded Debian Security Information: DSA-1516 (Google Search) http://www.debian.org/security/2008/dsa-1516 https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00358.html https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00381.html http://security.gentoo.org/glsa/glsa-200803-25.xml http://www.dovecot.org/list/dovecot-news/2008-March/000061.html https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10739 http://www.redhat.com/support/errata/RHSA-2008-0297.html http://secunia.com/advisories/29226 http://secunia.com/advisories/29385 http://secunia.com/advisories/29396 http://secunia.com/advisories/29557 http://secunia.com/advisories/30342 http://secunia.com/advisories/32151 SuSE Security Announcement: SUSE-SR:2008:020 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2008-10/msg00004.html https://usn.ubuntu.com/593-1/ XForce ISS Database: dovecot-mailextragroups-unauth-access(41009) https://exchange.xforce.ibmcloud.com/vulnerabilities/41009 Common Vulnerability Exposure (CVE) ID: CVE-2008-1218 BugTraq ID: 28181 http://www.securityfocus.com/bid/28181 Bugtraq: 20080312 rPSA-2008-0108-1 dovecot (Google Search) http://www.securityfocus.com/archive/1/489481/100/0/threaded https://www.exploit-db.com/exploits/5257 http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0108 http://www.dovecot.org/list/dovecot-news/2008-March/000064.html http://www.dovecot.org/list/dovecot-news/2008-March/000065.html http://secunia.com/advisories/29295 http://secunia.com/advisories/29364 XForce ISS Database: dovecot-tab-authentication-bypass(41085) https://exchange.xforce.ibmcloud.com/vulnerabilities/41085
Copyright	Copyright (C) 2009 Greenbone AG

This is only one of 146377 vulnerability tests in our test suite. Find out more about running a complete security audit. To run a free test of this vulnerability against your system, register below.