=========================================================== Ubuntu Security Notice USN-838-1 September 28, 2009 dovecot vulnerabilities CVE-2008-4577, CVE-2008-5301, CVE-2009-2632, CVE-2009-3235 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 8.04 LTS Ubuntu 8.10 Ubuntu 9.04 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 8.04 LTS: dovecot-common 1:1.0.10-1ubuntu5.2 Ubuntu 8.10: dovecot-common 1:1.1.4-0ubuntu1.3 Ubuntu 9.04: dovecot-common 1:1.1.11-0ubuntu4.1 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: It was discovered that the ACL plugin in Dovecot would incorrectly handle negative access rights. An attacker could exploit this flaw to access the Dovecot server, bypassing the indended access restrictions. This only affected Ubuntu 8.04 LTS. (CVE-2008-4577) It was discovered that the ManageSieve service in Dovecot incorrectly handled ".." in script names. A remote attacker could exploit this to read and modify arbitrary sieve files on the server. This only affected Ubuntu 8.10. (CVE-2008-5301) It was discovered that the Sieve plugin in Dovecot incorrectly handled certain sieve scripts. An authenticated user could exploit this with a crafted sieve script to cause a denial of service or possibly execute arbitrary code. (CVE-2009-2632, CVE-2009-3235) Updated packages for Ubuntu 8.04 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_1.0.10-1ubuntu5.2.diff.gz Size/MD5: 407785 8bab610c8eaa3d584251f43f589458ef http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_1.0.10-1ubuntu5.2.dsc Size/MD5: 1295 381a3267d0258419fee8f054ee5bcd13 http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_1.0.10.orig.tar.gz Size/MD5: 1797790 c050fa2a7dae8984d432595e3e8183e1 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-common_1.0.10-1ubuntu5.2_amd64.deb Size/MD5: 1838902 c0bd69b04f49b20bdbe7e2c830660e04 http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-dev_1.0.10-1ubuntu5.2_amd64.deb Size/MD5: 387834 b6a474d722d36ca98e2790954304d249 http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-imapd_1.0.10-1ubuntu5.2_amd64.deb Size/MD5: 662814 ab6309638125fabe5752177671b3f8b3 http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-pop3d_1.0.10-1ubuntu5.2_amd64.deb Size/MD5: 625852 ce40fd95a9dc4bcc60c1b0c473a5e117 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-common_1.0.10-1ubuntu5.2_i386.deb Size/MD5: 1695832 b1c5df762f681ee1c6ab3a9903ff367a http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-dev_1.0.10-1ubuntu5.2_i386.deb Size/MD5: 387848 d00535e76b28f9622ea77c36c69b808d http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-imapd_1.0.10-1ubuntu5.2_i386.deb Size/MD5: 629748 61cb4fda4aa29fce1bf326522bbb2dda http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-pop3d_1.0.10-1ubuntu5.2_i386.deb Size/MD5: 596084 d97fb54aba0f43f014f9e1dfd6404456 lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-common_1.0.10-1ubuntu5.2_lpia.deb Size/MD5: 1689932 e20d72de31679d4698caaa2d3fd92ebb http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-dev_1.0.10-1ubuntu5.2_lpia.deb Size/MD5: 387846 34903b7cdb220e85978c6483c7f09848 http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-imapd_1.0.10-1ubuntu5.2_lpia.deb Size/MD5: 630210 7238a78a55f787251facd75cc3a15539 http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-pop3d_1.0.10-1ubuntu5.2_lpia.deb Size/MD5: 596564 f969a0ee5a2de65dee4e81de9c103622 powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-common_1.0.10-1ubuntu5.2_powerpc.deb Size/MD5: 1859284 96619941551bb690e56d6604972370da http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-dev_1.0.10-1ubuntu5.2_powerpc.deb Size/MD5: 387880 cf175dd90cf5b677f55106c4e680ed9b http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-imapd_1.0.10-1ubuntu5.2_powerpc.deb Size/MD5: 669752 2b3b052e0d9703b41886c57793e7d1d6 http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-pop3d_1.0.10-1ubuntu5.2_powerpc.deb Size/MD5: 633286 d87398d7e70d3eaf53e2c6fdd8652c5b sparc architecture (Sun SPARC/UltraSPARC): http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-common_1.0.10-1ubuntu5.2_sparc.deb Size/MD5: 1688040 38f3316086f8e23d3894a3391d5e1a4d http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-dev_1.0.10-1ubuntu5.2_sparc.deb Size/MD5: 387864 ddb730f73fa997e160fc5cecb33849fa http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-imapd_1.0.10-1ubuntu5.2_sparc.deb Size/MD5: 626886 6f8101225f556210c487c1b893aa639e http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-pop3d_1.0.10-1ubuntu5.2_sparc.deb Size/MD5: 593772 ea19773a3574702074ae05e30bdb248a Updated packages for Ubuntu 8.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_1.1.4-0ubuntu1.3.diff.gz Size/MD5: 928070 e0aa195d3428177fe9411548751772bd http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_1.1.4-0ubuntu1.3.dsc Size/MD5: 1631 9c08ffd5652cfb1773f44e124d13ca61 http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_1.1.4.orig.tar.gz Size/MD5: 2314155 0050dd609cb456c8e52565a85373df28 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-common_1.1.4-0ubuntu1.3_amd64.deb Size/MD5: 3741952 0b0cfe3678735916771b36e5ec160e06 http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-dev_1.1.4-0ubuntu1.3_amd64.deb Size/MD5: 550040 1917dfa8998eb7ca66ca3976bda173e1 http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-imapd_1.1.4-0ubuntu1.3_amd64.deb Size/MD5: 950536 17d646723188b605fa3a3049498fe4ff http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-pop3d_1.1.4-0ubuntu1.3_amd64.deb Size/MD5: 905584 f387f84340a9504321524219474fa147 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-common_1.1.4-0ubuntu1.3_i386.deb Size/MD5: 3517356 7e0152635e337f3270880854fd6c9915 http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-dev_1.1.4-0ubuntu1.3_i386.deb Size/MD5: 550052 13bf7c6602410ef8f36e12a0ad9acfa2 http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-imapd_1.1.4-0ubuntu1.3_i386.deb Size/MD5: 921792 417d56c7b938c795e55f49900e915b3b http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-pop3d_1.1.4-0ubuntu1.3_i386.deb Size/MD5: 875792 09ff4ebec07209aa3a6c8e4948a9fdef lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-common_1.1.4-0ubuntu1.3_lpia.deb Size/MD5: 3462178 1069f6a2dba50c0ca051f6729d5b690c http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-dev_1.1.4-0ubuntu1.3_lpia.deb Size/MD5: 550044 ff2f07f9bf2e2790dfa3a0bb179f9818 http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-imapd_1.1.4-0ubuntu1.3_lpia.deb Size/MD5: 913898 a9b186e1376c95035149e03cb6304f06 http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-pop3d_1.1.4-0ubuntu1.3_lpia.deb Size/MD5: 869782 3100c863e91d39871bbef95eb90fc5d2 powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-common_1.1.4-0ubuntu1.3_powerpc.deb Size/MD5: 3809458 549f771da3cc47778cf39cd136fb31ea http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-dev_1.1.4-0ubuntu1.3_powerpc.deb Size/MD5: 550068 a7684b6f8de2bdc0779e3f1909a71ddd http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-imapd_1.1.4-0ubuntu1.3_powerpc.deb Size/MD5: 967808 ac60bc51b60709e87c16e1a89b4d86a4 http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-pop3d_1.1.4-0ubuntu1.3_powerpc.deb Size/MD5: 917878 1a97248a18f853868f79a647baddadf9 sparc architecture (Sun SPARC/UltraSPARC): http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-common_1.1.4-0ubuntu1.3_sparc.deb Size/MD5: 3504892 2f9769dba2217da279734406fc4f7598 http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-dev_1.1.4-0ubuntu1.3_sparc.deb Size/MD5: 550104 785e41269e14f2dc8259b4c50d7521f5 http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-imapd_1.1.4-0ubuntu1.3_sparc.deb Size/MD5: 919240 32d5e97daaac4a485a73e1c2deb4b12a http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-pop3d_1.1.4-0ubuntu1.3_sparc.deb Size/MD5: 872784 ba89567df97c5852802dee8664592440 Updated packages for Ubuntu 9.04: Source archives: http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_1.1.11-0ubuntu4.1.diff.gz Size/MD5: 933389 e69b949ee26b6f2d59549c14f473ff36 http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_1.1.11-0ubuntu4.1.dsc Size/MD5: 1655 55553d872f13646ee67923675ba5aeca http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_1.1.11.orig.tar.gz Size/MD5: 2362415 c973eb41aca79fb16630a16f0d84f765 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-postfix_1.1.11-0ubuntu4.1_all.deb Size/MD5: 22572 dc5219ed120e1541596d327ea3c5bb25 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-common_1.1.11-0ubuntu4.1_amd64.deb Size/MD5: 3708084 016223dc6893ecf7e87d269f49125e58 http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-dev_1.1.11-0ubuntu4.1_amd64.deb Size/MD5: 565074 1d847edeba4f72d6bc849af74facb327 http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-imapd_1.1.11-0ubuntu4.1_amd64.deb Size/MD5: 969828 7f4fae28f42007ddc221cb17a4698b46 http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-pop3d_1.1.11-0ubuntu4.1_amd64.deb Size/MD5: 925688 079c721b1076d1e0fbe207250acaac2f i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-common_1.1.11-0ubuntu4.1_i386.deb Size/MD5: 3489560 4891c8aaa08191613a910abca4004807 http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-dev_1.1.11-0ubuntu4.1_i386.deb Size/MD5: 565088 205baabd1480d8dc192ad8664806d79f http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-imapd_1.1.11-0ubuntu4.1_i386.deb Size/MD5: 939976 51b85c21d6985a0179ae400f150bbc43 http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-pop3d_1.1.11-0ubuntu4.1_i386.deb Size/MD5: 896494 c509b3e8e4f33a7b89b09fe898aa0a26 lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-common_1.1.11-0ubuntu4.1_lpia.deb Size/MD5: 3438158 00fd839575485921909b33205279f434 http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-dev_1.1.11-0ubuntu4.1_lpia.deb Size/MD5: 565062 3f97b5355509275f1e895a2f8f2548b1 http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-imapd_1.1.11-0ubuntu4.1_lpia.deb Size/MD5: 932192 69836d9eb88460c42f5fdea61a6e70aa http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-pop3d_1.1.11-0ubuntu4.1_lpia.deb Size/MD5: 890114 c23e4311d013a7416392a2c2c28c2144 powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-common_1.1.11-0ubuntu4.1_powerpc.deb Size/MD5: 3780660 bab41c6fcbcdf7e2f39d32f27e090ec3 http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-dev_1.1.11-0ubuntu4.1_powerpc.deb Size/MD5: 565124 b3d5cc8886c6be0b4c538c3204cb6cef http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-imapd_1.1.11-0ubuntu4.1_powerpc.deb Size/MD5: 987250 7a018b6c36747bde9d1cff6eb79a7a5d http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-pop3d_1.1.11-0ubuntu4.1_powerpc.deb Size/MD5: 938730 c3a8c128308f0b1212300a0a2121ca43 sparc architecture (Sun SPARC/UltraSPARC): http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-common_1.1.11-0ubuntu4.1_sparc.deb Size/MD5: 3473282 d20e674b6c5fff91f20a75182b836664 http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-dev_1.1.11-0ubuntu4.1_sparc.deb Size/MD5: 565124 d9abbe6098367fbdb0cb75c58197edab http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-imapd_1.1.11-0ubuntu4.1_sparc.deb Size/MD5: 936990 62c55214cbb59c52e6df64a599135b28 http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-pop3d_1.1.11-0ubuntu4.1_sparc.deb Size/MD5: 893462 c613a178367b122aa0a4ef525f9f55e8
Attachment:
signature.asc
Description: This is a digitally signed message part