News

Wednesday, July 18, 2007

ubuntu-security-announce Digest, Vol 34, Issue 5

Send ubuntu-security-announce mailing list submissions to
ubuntu-security-announce@lists.ubuntu.com

To subscribe or unsubscribe via the World Wide Web, visit
https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
or, via email, send a message with subject or body 'help' to
ubuntu-security-announce-request@lists.ubuntu.com

You can reach the person managing the list at
ubuntu-security-announce-owner@lists.ubuntu.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of ubuntu-security-announce digest..."


Today's Topics:

1. [USN-487-1] Dovecot vulnerability (Kees Cook)


----------------------------------------------------------------------

Message: 1
Date: Tue, 17 Jul 2007 14:57:01 -0700
From: Kees Cook <kees@ubuntu.com>
Subject: [USN-487-1] Dovecot vulnerability
To: ubuntu-security-announce@lists.ubuntu.com
Cc: full-disclosure@lists.grok.org.uk, bugtraq@securityfocus.com
Message-ID: <20070717215701.GF11087@outflux.net>
Content-Type: text/plain; charset="us-ascii"

===========================================================
Ubuntu Security Notice USN-487-1 July 17, 2007
dovecot vulnerability
CVE-2007-2231
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS
Ubuntu 6.10
Ubuntu 7.04

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
dovecot-common 1.0.beta3-3ubuntu5.5

Ubuntu 6.10:
dovecot-common 1.0.rc2-1ubuntu2.2

Ubuntu 7.04:
dovecot-common 1.0.rc17-1ubuntu2.1

In general, a standard system upgrade is sufficient to effect the
necessary changes.

Details follow:

It was discovered that Dovecot, when configured to use non-system-user
spools and compressed folders, would allow directory traversals in
mailbox names. Remote authenticated users could potentially read email
owned by other users.


Updated packages for Ubuntu 6.06 LTS:

Source archives:

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_1.0.beta3-3ubuntu5.5.diff.gz

Size/MD5: 469298 29bd87efba635fd5eedb3895d20acc46

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_1.0.beta3-3ubuntu5.5.dsc

Size/MD5: 867 5036d7a6d364a2ad840b0d54e3339f38

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_1.0.beta3.orig.tar.gz

Size/MD5: 1360574 5418f9f7fe99e4f10bb82d9fe504138a

amd64 architecture (Athlon64, Opteron, EM64T Xeon)

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-common_1.0.beta3-3ubuntu5.5_amd64.deb

Size/MD5: 962840 6cca1d5abd731afba38bb29f6c9933f5

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-imapd_1.0.beta3-3ubuntu5.5_amd64.deb

Size/MD5: 532874 e9e41c0952c466de86cb5ce0e6587a22

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-pop3d_1.0.beta3-3ubuntu5.5_amd64.deb

Size/MD5: 500994 bc7b6969f03f5f311848410e935dfded

i386 architecture (x86 compatible Intel/AMD)

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-common_1.0.beta3-3ubuntu5.5_i386.deb

Size/MD5: 838814 753181c3a1179a6ec1bd72b13dc5b9a4

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-imapd_1.0.beta3-3ubuntu5.5_i386.deb

Size/MD5: 486092 d11b682eb421301f797e80194b51b67b

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-pop3d_1.0.beta3-3ubuntu5.5_i386.deb

Size/MD5: 456858 d8ca7cb44101b96455b891e9e42bc5b3

powerpc architecture (Apple Macintosh G3/G4/G5)

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-common_1.0.beta3-3ubuntu5.5_powerpc.deb

Size/MD5: 941292 e1d73b71061280687181e8f938b8e264

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-imapd_1.0.beta3-3ubuntu5.5_powerpc.deb

Size/MD5: 526582 4f89130337e474c68a419f4724cf1aa4

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-pop3d_1.0.beta3-3ubuntu5.5_powerpc.deb

Size/MD5: 494322 ebbdc5b738172d4dfc6b25ec39ddfa91

sparc architecture (Sun SPARC/UltraSPARC)

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-common_1.0.beta3-3ubuntu5.5_sparc.deb

Size/MD5: 855402 12181c54c433922b9eee15f585a0ae8f

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-imapd_1.0.beta3-3ubuntu5.5_sparc.deb

Size/MD5: 492088 9d4880192868043bbc62096ea23ac2e0

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-pop3d_1.0.beta3-3ubuntu5.5_sparc.deb

Size/MD5: 462252 5f62fd110c14911bcfb406a84703cb5d

Updated packages for Ubuntu 6.10:

Source archives:

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_1.0.rc2-1ubuntu2.2.diff.gz

Size/MD5: 473084 483a9eb80e9750acdf385ed824056db9

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_1.0.rc2-1ubuntu2.2.dsc

Size/MD5: 900 11dc25bceb20c8e6d6870b53f38bdc3c

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_1.0.rc2.orig.tar.gz

Size/MD5: 1257435 e27a248b2ee224e4618aa2f020150041

amd64 architecture (Athlon64, Opteron, EM64T Xeon)

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-common_1.0.rc2-1ubuntu2.2_amd64.deb

Size/MD5: 936296 0ae0d9e4217dae4b910b489670f25a5e

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-imapd_1.0.rc2-1ubuntu2.2_amd64.deb

Size/MD5: 387028 dee13d869de26b760f55f2ca79aa9459

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-pop3d_1.0.rc2-1ubuntu2.2_amd64.deb

Size/MD5: 353208 7f8cd14c0f45fa2d60b81112361e47ea

i386 architecture (x86 compatible Intel/AMD)

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-common_1.0.rc2-1ubuntu2.2_i386.deb

Size/MD5: 833674 a8f0594ac17eaf15b7b8574bed437d8a

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-imapd_1.0.rc2-1ubuntu2.2_i386.deb

Size/MD5: 354212 31a82ddd4094a0293bd80e20387e734a

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-pop3d_1.0.rc2-1ubuntu2.2_i386.deb

Size/MD5: 323498 69cb3e9d2aad06b53627a0da1f2f0cf5

powerpc architecture (Apple Macintosh G3/G4/G5)

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-common_1.0.rc2-1ubuntu2.2_powerpc.deb

Size/MD5: 924998 9158a6ee1b882ec64d2e7bd0ad337ebe

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-imapd_1.0.rc2-1ubuntu2.2_powerpc.deb

Size/MD5: 385336 9608f3975460aea5cf553d454f6522ff

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-pop3d_1.0.rc2-1ubuntu2.2_powerpc.deb

Size/MD5: 352020 9facc03f70e9d7ad823ef0ed4b6fc20c

sparc architecture (Sun SPARC/UltraSPARC)

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-common_1.0.rc2-1ubuntu2.2_sparc.deb

Size/MD5: 820528 97f8b26eba76a6351c60f2ff2d02a48d

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-imapd_1.0.rc2-1ubuntu2.2_sparc.deb

Size/MD5: 347752 b8ce2d4174b4aefee2ddaa311d0db376

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-pop3d_1.0.rc2-1ubuntu2.2_sparc.deb

Size/MD5: 316908 d5b9a64f49f61f617e73d6371a3f9ed1

Updated packages for Ubuntu 7.04:

Source archives:

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_1.0.rc17-1ubuntu2.1.diff.gz

Size/MD5: 99862 9bf881b3592e2d48e4b31123fe43563b

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_1.0.rc17-1ubuntu2.1.dsc

Size/MD5: 1099 c657aea243cfbeac420794c0a43bae95

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_1.0.rc17.orig.tar.gz

Size/MD5: 1512386 881bcc7d2c8fba6d337f3e616a602bf7

amd64 architecture (Athlon64, Opteron, EM64T Xeon)

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-common_1.0.rc17-1ubuntu2.1_amd64.deb

Size/MD5: 1274644 46145219067be168cfe05961140faabf

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-imapd_1.0.rc17-1ubuntu2.1_amd64.deb

Size/MD5: 586540 eac2b3216e1f76c20354c322f3b1bae0

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-pop3d_1.0.rc17-1ubuntu2.1_amd64.deb

Size/MD5: 552280 cffa97e43063a8c27382b302541cf00b

i386 architecture (x86 compatible Intel/AMD)

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-common_1.0.rc17-1ubuntu2.1_i386.deb

Size/MD5: 1164578 45655df2ab5d68ab09c17a52b286fef5

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-imapd_1.0.rc17-1ubuntu2.1_i386.deb

Size/MD5: 554174 33f48b9b7d8639ccb75cbccbaa48e59d

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-pop3d_1.0.rc17-1ubuntu2.1_i386.deb

Size/MD5: 521498 c7094f9dd1fabcae02f4e535d24c9c7f

powerpc architecture (Apple Macintosh G3/G4/G5)

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-common_1.0.rc17-1ubuntu2.1_powerpc.deb

Size/MD5: 1291064 6b55bb639475bcecbf00655ad6cd27ea

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-imapd_1.0.rc17-1ubuntu2.1_powerpc.deb

Size/MD5: 590906 6afd3063c2bbe6c46119d7c2bf0114a1

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-pop3d_1.0.rc17-1ubuntu2.1_powerpc.deb

Size/MD5: 556068 009c76cc27d1812d2abf6d997116e500

sparc architecture (Sun SPARC/UltraSPARC)

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-common_1.0.rc17-1ubuntu2.1_sparc.deb

Size/MD5: 1158070 25978232a1680992b84edc754f9f42e9

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-imapd_1.0.rc17-1ubuntu2.1_sparc.deb

Size/MD5: 549476 d9d6f94295f77b1d42f6775e38475fd1

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-pop3d_1.0.rc17-1ubuntu2.1_sparc.deb

Size/MD5: 517012 58f2daca2b94c95c66f30277f8401373

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20070717/f6547d2e/attachment-0001.pgp


------------------------------

--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce


End of ubuntu-security-announce Digest, Vol 34, Issue 5
*******************************************************

No comments:

Blog Archive