[USN-838-1] Dovecot vulnerabilities



===========================================================
Ubuntu Security Notice USN-838-1 September 28, 2009
dovecot vulnerabilities
CVE-2008-4577, CVE-2008-5301, CVE-2009-2632, CVE-2009-3235
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 8.04 LTS
Ubuntu 8.10
Ubuntu 9.04

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 8.04 LTS:
dovecot-common 1:1.0.10-1ubuntu5.2

Ubuntu 8.10:
dovecot-common 1:1.1.4-0ubuntu1.3

Ubuntu 9.04:
dovecot-common 1:1.1.11-0ubuntu4.1

In general, a standard system upgrade is sufficient to effect the
necessary changes.

Details follow:

It was discovered that the ACL plugin in Dovecot would incorrectly handle
negative access rights. An attacker could exploit this flaw to access the
Dovecot server, bypassing the indended access restrictions. This only
affected Ubuntu 8.04 LTS. (CVE-2008-4577)

It was discovered that the ManageSieve service in Dovecot incorrectly
handled ".." in script names. A remote attacker could exploit this to read
and modify arbitrary sieve files on the server. This only affected Ubuntu
8.10. (CVE-2008-5301)

It was discovered that the Sieve plugin in Dovecot incorrectly handled
certain sieve scripts. An authenticated user could exploit this with a
crafted sieve script to cause a denial of service or possibly execute
arbitrary code. (CVE-2009-2632, CVE-2009-3235)


Updated packages for Ubuntu 8.04 LTS:

Source archives:

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_1.0.10-1ubuntu5.2.diff.gz
Size/MD5: 407785 8bab610c8eaa3d584251f43f589458ef
http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_1.0.10-1ubuntu5.2.dsc
Size/MD5: 1295 381a3267d0258419fee8f054ee5bcd13
http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_1.0.10.orig.tar.gz
Size/MD5: 1797790 c050fa2a7dae8984d432595e3e8183e1

amd64 architecture (Athlon64, Opteron, EM64T Xeon):

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-common_1.0.10-1ubuntu5.2_amd64.deb
Size/MD5: 1838902 c0bd69b04f49b20bdbe7e2c830660e04
http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-dev_1.0.10-1ubuntu5.2_amd64.deb
Size/MD5: 387834 b6a474d722d36ca98e2790954304d249
http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-imapd_1.0.10-1ubuntu5.2_amd64.deb
Size/MD5: 662814 ab6309638125fabe5752177671b3f8b3
http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-pop3d_1.0.10-1ubuntu5.2_amd64.deb
Size/MD5: 625852 ce40fd95a9dc4bcc60c1b0c473a5e117

i386 architecture (x86 compatible Intel/AMD):

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-common_1.0.10-1ubuntu5.2_i386.deb
Size/MD5: 1695832 b1c5df762f681ee1c6ab3a9903ff367a
http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-dev_1.0.10-1ubuntu5.2_i386.deb
Size/MD5: 387848 d00535e76b28f9622ea77c36c69b808d
http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-imapd_1.0.10-1ubuntu5.2_i386.deb
Size/MD5: 629748 61cb4fda4aa29fce1bf326522bbb2dda
http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-pop3d_1.0.10-1ubuntu5.2_i386.deb
Size/MD5: 596084 d97fb54aba0f43f014f9e1dfd6404456

lpia architecture (Low Power Intel Architecture):

http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-common_1.0.10-1ubuntu5.2_lpia.deb
Size/MD5: 1689932 e20d72de31679d4698caaa2d3fd92ebb
http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-dev_1.0.10-1ubuntu5.2_lpia.deb
Size/MD5: 387846 34903b7cdb220e85978c6483c7f09848
http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-imapd_1.0.10-1ubuntu5.2_lpia.deb
Size/MD5: 630210 7238a78a55f787251facd75cc3a15539
http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-pop3d_1.0.10-1ubuntu5.2_lpia.deb
Size/MD5: 596564 f969a0ee5a2de65dee4e81de9c103622

powerpc architecture (Apple Macintosh G3/G4/G5):

http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-common_1.0.10-1ubuntu5.2_powerpc.deb
Size/MD5: 1859284 96619941551bb690e56d6604972370da
http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-dev_1.0.10-1ubuntu5.2_powerpc.deb
Size/MD5: 387880 cf175dd90cf5b677f55106c4e680ed9b
http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-imapd_1.0.10-1ubuntu5.2_powerpc.deb
Size/MD5: 669752 2b3b052e0d9703b41886c57793e7d1d6
http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-pop3d_1.0.10-1ubuntu5.2_powerpc.deb
Size/MD5: 633286 d87398d7e70d3eaf53e2c6fdd8652c5b

sparc architecture (Sun SPARC/UltraSPARC):

http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-common_1.0.10-1ubuntu5.2_sparc.deb
Size/MD5: 1688040 38f3316086f8e23d3894a3391d5e1a4d
http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-dev_1.0.10-1ubuntu5.2_sparc.deb
Size/MD5: 387864 ddb730f73fa997e160fc5cecb33849fa
http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-imapd_1.0.10-1ubuntu5.2_sparc.deb
Size/MD5: 626886 6f8101225f556210c487c1b893aa639e
http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-pop3d_1.0.10-1ubuntu5.2_sparc.deb
Size/MD5: 593772 ea19773a3574702074ae05e30bdb248a

Updated packages for Ubuntu 8.10:

Source archives:

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_1.1.4-0ubuntu1.3.diff.gz
Size/MD5: 928070 e0aa195d3428177fe9411548751772bd
http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_1.1.4-0ubuntu1.3.dsc
Size/MD5: 1631 9c08ffd5652cfb1773f44e124d13ca61
http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_1.1.4.orig.tar.gz
Size/MD5: 2314155 0050dd609cb456c8e52565a85373df28

amd64 architecture (Athlon64, Opteron, EM64T Xeon):

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-common_1.1.4-0ubuntu1.3_amd64.deb
Size/MD5: 3741952 0b0cfe3678735916771b36e5ec160e06
http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-dev_1.1.4-0ubuntu1.3_amd64.deb
Size/MD5: 550040 1917dfa8998eb7ca66ca3976bda173e1
http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-imapd_1.1.4-0ubuntu1.3_amd64.deb
Size/MD5: 950536 17d646723188b605fa3a3049498fe4ff
http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-pop3d_1.1.4-0ubuntu1.3_amd64.deb
Size/MD5: 905584 f387f84340a9504321524219474fa147

i386 architecture (x86 compatible Intel/AMD):

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-common_1.1.4-0ubuntu1.3_i386.deb
Size/MD5: 3517356 7e0152635e337f3270880854fd6c9915
http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-dev_1.1.4-0ubuntu1.3_i386.deb
Size/MD5: 550052 13bf7c6602410ef8f36e12a0ad9acfa2
http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-imapd_1.1.4-0ubuntu1.3_i386.deb
Size/MD5: 921792 417d56c7b938c795e55f49900e915b3b
http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-pop3d_1.1.4-0ubuntu1.3_i386.deb
Size/MD5: 875792 09ff4ebec07209aa3a6c8e4948a9fdef

lpia architecture (Low Power Intel Architecture):

http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-common_1.1.4-0ubuntu1.3_lpia.deb
Size/MD5: 3462178 1069f6a2dba50c0ca051f6729d5b690c
http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-dev_1.1.4-0ubuntu1.3_lpia.deb
Size/MD5: 550044 ff2f07f9bf2e2790dfa3a0bb179f9818
http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-imapd_1.1.4-0ubuntu1.3_lpia.deb
Size/MD5: 913898 a9b186e1376c95035149e03cb6304f06
http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-pop3d_1.1.4-0ubuntu1.3_lpia.deb
Size/MD5: 869782 3100c863e91d39871bbef95eb90fc5d2

powerpc architecture (Apple Macintosh G3/G4/G5):

http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-common_1.1.4-0ubuntu1.3_powerpc.deb
Size/MD5: 3809458 549f771da3cc47778cf39cd136fb31ea
http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-dev_1.1.4-0ubuntu1.3_powerpc.deb
Size/MD5: 550068 a7684b6f8de2bdc0779e3f1909a71ddd
http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-imapd_1.1.4-0ubuntu1.3_powerpc.deb
Size/MD5: 967808 ac60bc51b60709e87c16e1a89b4d86a4
http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-pop3d_1.1.4-0ubuntu1.3_powerpc.deb
Size/MD5: 917878 1a97248a18f853868f79a647baddadf9

sparc architecture (Sun SPARC/UltraSPARC):

http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-common_1.1.4-0ubuntu1.3_sparc.deb
Size/MD5: 3504892 2f9769dba2217da279734406fc4f7598
http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-dev_1.1.4-0ubuntu1.3_sparc.deb
Size/MD5: 550104 785e41269e14f2dc8259b4c50d7521f5
http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-imapd_1.1.4-0ubuntu1.3_sparc.deb
Size/MD5: 919240 32d5e97daaac4a485a73e1c2deb4b12a
http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-pop3d_1.1.4-0ubuntu1.3_sparc.deb
Size/MD5: 872784 ba89567df97c5852802dee8664592440

Updated packages for Ubuntu 9.04:

Source archives:

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_1.1.11-0ubuntu4.1.diff.gz
Size/MD5: 933389 e69b949ee26b6f2d59549c14f473ff36
http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_1.1.11-0ubuntu4.1.dsc
Size/MD5: 1655 55553d872f13646ee67923675ba5aeca
http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_1.1.11.orig.tar.gz
Size/MD5: 2362415 c973eb41aca79fb16630a16f0d84f765

Architecture independent packages:

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-postfix_1.1.11-0ubuntu4.1_all.deb
Size/MD5: 22572 dc5219ed120e1541596d327ea3c5bb25

amd64 architecture (Athlon64, Opteron, EM64T Xeon):

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-common_1.1.11-0ubuntu4.1_amd64.deb
Size/MD5: 3708084 016223dc6893ecf7e87d269f49125e58
http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-dev_1.1.11-0ubuntu4.1_amd64.deb
Size/MD5: 565074 1d847edeba4f72d6bc849af74facb327
http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-imapd_1.1.11-0ubuntu4.1_amd64.deb
Size/MD5: 969828 7f4fae28f42007ddc221cb17a4698b46
http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-pop3d_1.1.11-0ubuntu4.1_amd64.deb
Size/MD5: 925688 079c721b1076d1e0fbe207250acaac2f

i386 architecture (x86 compatible Intel/AMD):

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-common_1.1.11-0ubuntu4.1_i386.deb
Size/MD5: 3489560 4891c8aaa08191613a910abca4004807
http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-dev_1.1.11-0ubuntu4.1_i386.deb
Size/MD5: 565088 205baabd1480d8dc192ad8664806d79f
http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-imapd_1.1.11-0ubuntu4.1_i386.deb
Size/MD5: 939976 51b85c21d6985a0179ae400f150bbc43
http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-pop3d_1.1.11-0ubuntu4.1_i386.deb
Size/MD5: 896494 c509b3e8e4f33a7b89b09fe898aa0a26

lpia architecture (Low Power Intel Architecture):

http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-common_1.1.11-0ubuntu4.1_lpia.deb
Size/MD5: 3438158 00fd839575485921909b33205279f434
http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-dev_1.1.11-0ubuntu4.1_lpia.deb
Size/MD5: 565062 3f97b5355509275f1e895a2f8f2548b1
http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-imapd_1.1.11-0ubuntu4.1_lpia.deb
Size/MD5: 932192 69836d9eb88460c42f5fdea61a6e70aa
http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-pop3d_1.1.11-0ubuntu4.1_lpia.deb
Size/MD5: 890114 c23e4311d013a7416392a2c2c28c2144

powerpc architecture (Apple Macintosh G3/G4/G5):

http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-common_1.1.11-0ubuntu4.1_powerpc.deb
Size/MD5: 3780660 bab41c6fcbcdf7e2f39d32f27e090ec3
http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-dev_1.1.11-0ubuntu4.1_powerpc.deb
Size/MD5: 565124 b3d5cc8886c6be0b4c538c3204cb6cef
http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-imapd_1.1.11-0ubuntu4.1_powerpc.deb
Size/MD5: 987250 7a018b6c36747bde9d1cff6eb79a7a5d
http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-pop3d_1.1.11-0ubuntu4.1_powerpc.deb
Size/MD5: 938730 c3a8c128308f0b1212300a0a2121ca43

sparc architecture (Sun SPARC/UltraSPARC):

http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-common_1.1.11-0ubuntu4.1_sparc.deb
Size/MD5: 3473282 d20e674b6c5fff91f20a75182b836664
http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-dev_1.1.11-0ubuntu4.1_sparc.deb
Size/MD5: 565124 d9abbe6098367fbdb0cb75c58197edab
http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-imapd_1.1.11-0ubuntu4.1_sparc.deb
Size/MD5: 936990 62c55214cbb59c52e6df64a599135b28
http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-pop3d_1.1.11-0ubuntu4.1_sparc.deb
Size/MD5: 893462 c613a178367b122aa0a4ef525f9f55e8



Attachment: signature.asc
Description: This is a digitally signed message part



Relevant Pages

  • [Full-disclosure] [USN-1017-1] MySQL vulnerabilities
    ... A security issue affects the following Ubuntu releases: ... Ubuntu 6.06 LTS ... causing a denial of service. ... amd64 architecture: ...
    (Full-Disclosure)
  • [Full-disclosure] [USN-838-1] Dovecot vulnerabilities
    ... A security issue affects the following Ubuntu releases: ... Ubuntu 8.04 LTS ... It was discovered that the ACL plugin in Dovecot would incorrectly handle ... i386 architecture: ...
    (Full-Disclosure)
  • [Full-disclosure] [USN-1059-1] Dovecot vulnerabilities
    ... A security issue affects the following Ubuntu releases: ... It was discovered that the ACL plugin in Dovecot would incorrectly ... It was discovered that the ACL plugin in Dovecot would incorrectly merge ... amd64 architecture: ...
    (Full-Disclosure)
  • [USN-1059-1] Dovecot vulnerabilities
    ... A security issue affects the following Ubuntu releases: ... It was discovered that the ACL plugin in Dovecot would incorrectly ... It was discovered that the ACL plugin in Dovecot would incorrectly merge ... amd64 architecture: ...
    (Bugtraq)
  • [Full-disclosure] [USN-666-1] Dovecot vulnerability
    ... dovecot vulnerability ... A security issue affects the following Ubuntu releases: ... It was discovered that certain email headers were not correctly handled ... i386 architecture: ...
    (Full-Disclosure)