Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2006.0375 -- [UNIX/Linux][Debian]
New dovecot packages fix directory traversal
30 May 2006
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Dovecot
Publisher: Debian
Operating System: Debian GNU/Linux 3.1
UNIX variants (UNIX, Linux, OSX)
Impact: Read-only Data Access
Access: Existing Account
CVE Names: CVE-2006-2414
Original Bulletin: http://www.debian.org/security/2006/dsa-1080
Comment: This advisory references vulnerabilities in products which run on
platforms other than Debian. It is recommended that administrators
running Dovecot check for an updated version of the software
for their operating system at http://www.dovecot.org.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- - --------------------------------------------------------------------------
Debian Security Advisory DSA 1080-1 security@debian.org
http://www.debian.org/security/ Steve Kemp
May 29th, 2006 http://www.debian.org/security/faq
- - --------------------------------------------------------------------------
Package : dovecot
Vulnerability : programming error
Problem type : remote
Debian-specific: no
CVE ID : CVE-2006-2414
A problem has been discovered in the IMAP component of Dovecot, a
secure mail server that supports mbox and maildir mailboxes, which can
lead to information disclosure via directory traversal by
authenticated users.
The old stable distribution (woody) is not affected by this problem.
For the stable distribution (sarge) this problem has been fixed in
version 0.99.14-1sarge0.
For the unstable distribution (sid) this problem has been fixed in
version 1.0beta8-1.
We recommend that you upgrade your dovecot-imapd package.
Upgrade Instructions
- - --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given at the end of this advisory:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 3.1 alias sarge
- - --------------------------------
Source archives:
http://security.debian.org/pool/updates/main/d/dovecot/dovecot_0.99.14-1sarge0.dsc
Size/MD5 checksum: 760 5365f712ee15d1c3b825af2ef95f583e
http://security.debian.org/pool/updates/main/d/dovecot/dovecot_0.99.14-1sarge0.diff.gz
Size/MD5 checksum: 26557 e30859421db7ebe8478dacb02110f3f0
http://security.debian.org/pool/updates/main/d/dovecot/dovecot_0.99.14.orig.tar.gz
Size/MD5 checksum: 871285 a12e26fd378a46c31ec3a81ab7b55b5b
Architecture independent components:
http://security.debian.org/pool/updates/main/d/dovecot/dovecot_0.99.14-1sarge0_all.deb
Size/MD5 checksum: 7516 b6813e75e60e5094ac114fcc198d2ea2
Alpha architecture:
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_0.99.14-1sarge0_alpha.deb
Size/MD5 checksum: 283796 06751f47fe61b4f9fd410cd055288be2
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_0.99.14-1sarge0_alpha.deb
Size/MD5 checksum: 364838 e6e564cf60e92b4bd12f5209f56ed4c1
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_0.99.14-1sarge0_alpha.deb
Size/MD5 checksum: 331290 e6bf35a49d23636b53378e996ce9c1d2
AMD64 architecture:
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_0.99.14-1sarge0_amd64.deb
Size/MD5 checksum: 258846 990b811364af83c3223e6a733fb6856b
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_0.99.14-1sarge0_amd64.deb
Size/MD5 checksum: 311520 642e17490997baa93857b282c4b13f7a
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_0.99.14-1sarge0_amd64.deb
Size/MD5 checksum: 285308 6ea57ba9b419b77964812a93f959b98c
ARM architecture:
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_0.99.14-1sarge0_arm.deb
Size/MD5 checksum: 244796 64574178089a5c8ee75912adbe0aaf33
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_0.99.14-1sarge0_arm.deb
Size/MD5 checksum: 289624 5d4b172a52f4f23d9702348d03b35ff3
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_0.99.14-1sarge0_arm.deb
Size/MD5 checksum: 265496 3284fc52fd054f5545e8327cc0d39e7a
Intel IA-32 architecture:
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_0.99.14-1sarge0_i386.deb
Size/MD5 checksum: 245230 ba2e1bccd3d12180c2ec50d41102dde7
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_0.99.14-1sarge0_i386.deb
Size/MD5 checksum: 292656 00c0245e231a07bc05104c2b3113951b
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_0.99.14-1sarge0_i386.deb
Size/MD5 checksum: 268158 9c061cc01ca82178530b6c47aad1120c
Intel IA-64 architecture:
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_0.99.14-1sarge0_ia64.deb
Size/MD5 checksum: 308824 fab290d2d317aa96a0111129214cf05e
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_0.99.14-1sarge0_ia64.deb
Size/MD5 checksum: 429626 287f26ebef5de68a0867ef38fcba4aa0
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_0.99.14-1sarge0_ia64.deb
Size/MD5 checksum: 389276 f4cc53876bae4f3780eeb89465700c8f
HP Precision architecture:
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_0.99.14-1sarge0_hppa.deb
Size/MD5 checksum: 263982 2fefd32583dfff8410dbe14bc32c9771
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_0.99.14-1sarge0_hppa.deb
Size/MD5 checksum: 329758 1375b56509aee5b605ef3a290469d43c
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_0.99.14-1sarge0_hppa.deb
Size/MD5 checksum: 301158 504332dbc815999c61b48d3eac4fb7a3
Motorola 680x0 architecture:
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_0.99.14-1sarge0_m68k.deb
Size/MD5 checksum: 234130 a45c037148354769c27892781267485a
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_0.99.14-1sarge0_m68k.deb
Size/MD5 checksum: 265658 a37e2a5eaa09a604dda421fafbd26b0c
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_0.99.14-1sarge0_m68k.deb
Size/MD5 checksum: 243988 648469b9fdc01db53d142388b8cc2455
Big endian MIPS architecture:
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_0.99.14-1sarge0_mips.deb
Size/MD5 checksum: 266612 709081de9bbd89abf7e604415c084336
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_0.99.14-1sarge0_mips.deb
Size/MD5 checksum: 335312 cd3c144f32e7e2f8b051c4038729d0db
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_0.99.14-1sarge0_mips.deb
Size/MD5 checksum: 306346 324926cc8cd59c1752c28a5a5e3c82f0
Little endian MIPS architecture:
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_0.99.14-1sarge0_mipsel.deb
Size/MD5 checksum: 266570 cf6172ff278d730828743d8d5c225c30
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_0.99.14-1sarge0_mipsel.deb
Size/MD5 checksum: 335318 48895c1e7d38310df3438b06c0bd0255
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_0.99.14-1sarge0_mipsel.deb
Size/MD5 checksum: 306390 0ad05fa2956bf634ab4ee5cb644f6776
PowerPC architecture:
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_0.99.14-1sarge0_powerpc.deb
Size/MD5 checksum: 256774 4545dd863436ac5725b98dbfec1cd25e
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_0.99.14-1sarge0_powerpc.deb
Size/MD5 checksum: 313862 2df352eced7aff6eda4e6e516b94c402
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_0.99.14-1sarge0_powerpc.deb
Size/MD5 checksum: 286772 06b25b73ede373b9b9bda930dc4afef9
IBM S/390 architecture:
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_0.99.14-1sarge0_s390.deb
Size/MD5 checksum: 265964 9b18cdf5194db5a614e98c1a2e14f176
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_0.99.14-1sarge0_s390.deb
Size/MD5 checksum: 325310 a732511d63ed64239df43d09c0cd1afd
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_0.99.14-1sarge0_s390.deb
Size/MD5 checksum: 297864 ebcf6c73b0b94f6b9fee1c85a04f4824
Sun Sparc architecture:
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_0.99.14-1sarge0_sparc.deb
Size/MD5 checksum: 244540 87bb459d4c1eb6ed335dd57fee3fed0c
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_0.99.14-1sarge0_sparc.deb
Size/MD5 checksum: 291136 5abab794ab7a53e83190a38a7185e648
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_0.99.14-1sarge0_sparc.deb
Size/MD5 checksum: 266018 c63b900e49e4769200aef6db7b6bccf0
These files will probably be moved into the stable distribution on
its next update.
- - ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
iD8DBQFEep0/W5ql+IAeqTIRArPKAJ97LqMoapV3aqi/I5v8TI6Of3Oa7wCeLfmf
uCktCQh0gxg44eK9g3IVaGA=
=LHtI
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBRHulqCh9+71yA2DNAQLVrwP7BCp7DZWxc5HdPO8Cd2/HhYMAPD9VpdjP
m5WW6EgG4N3d404O6pMXEYzLwBgyEEvNnGkjHrw90ZrrAH8A9udF8l+pv1qsjiFU
wwphYjIRPLR0jibuvQmVpog9Ax2hD3+TtU/ssDDfETsDaWCqi0hnpayRDM/FBiS5
0G9Hxcooo+Q=
=kTXl
-----END PGP SIGNATURE-----