Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2006.0375 -- [UNIX/Linux][Debian] New dovecot packages fix directory traversal 30 May 2006 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Dovecot Publisher: Debian Operating System: Debian GNU/Linux 3.1 UNIX variants (UNIX, Linux, OSX) Impact: Read-only Data Access Access: Existing Account CVE Names: CVE-2006-2414 Original Bulletin: http://www.debian.org/security/2006/dsa-1080 Comment: This advisory references vulnerabilities in products which run on platforms other than Debian. It is recommended that administrators running Dovecot check for an updated version of the software for their operating system at http://www.dovecot.org. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - -------------------------------------------------------------------------- Debian Security Advisory DSA 1080-1 security@debian.org http://www.debian.org/security/ Steve Kemp May 29th, 2006 http://www.debian.org/security/faq - - -------------------------------------------------------------------------- Package : dovecot Vulnerability : programming error Problem type : remote Debian-specific: no CVE ID : CVE-2006-2414 A problem has been discovered in the IMAP component of Dovecot, a secure mail server that supports mbox and maildir mailboxes, which can lead to information disclosure via directory traversal by authenticated users. The old stable distribution (woody) is not affected by this problem. For the stable distribution (sarge) this problem has been fixed in version 0.99.14-1sarge0. For the unstable distribution (sid) this problem has been fixed in version 1.0beta8-1. We recommend that you upgrade your dovecot-imapd package. Upgrade Instructions - - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - - -------------------------------- Source archives: http://security.debian.org/pool/updates/main/d/dovecot/dovecot_0.99.14-1sarge0.dsc Size/MD5 checksum: 760 5365f712ee15d1c3b825af2ef95f583e http://security.debian.org/pool/updates/main/d/dovecot/dovecot_0.99.14-1sarge0.diff.gz Size/MD5 checksum: 26557 e30859421db7ebe8478dacb02110f3f0 http://security.debian.org/pool/updates/main/d/dovecot/dovecot_0.99.14.orig.tar.gz Size/MD5 checksum: 871285 a12e26fd378a46c31ec3a81ab7b55b5b Architecture independent components: http://security.debian.org/pool/updates/main/d/dovecot/dovecot_0.99.14-1sarge0_all.deb Size/MD5 checksum: 7516 b6813e75e60e5094ac114fcc198d2ea2 Alpha architecture: http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_0.99.14-1sarge0_alpha.deb Size/MD5 checksum: 283796 06751f47fe61b4f9fd410cd055288be2 http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_0.99.14-1sarge0_alpha.deb Size/MD5 checksum: 364838 e6e564cf60e92b4bd12f5209f56ed4c1 http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_0.99.14-1sarge0_alpha.deb Size/MD5 checksum: 331290 e6bf35a49d23636b53378e996ce9c1d2 AMD64 architecture: http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_0.99.14-1sarge0_amd64.deb Size/MD5 checksum: 258846 990b811364af83c3223e6a733fb6856b http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_0.99.14-1sarge0_amd64.deb Size/MD5 checksum: 311520 642e17490997baa93857b282c4b13f7a http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_0.99.14-1sarge0_amd64.deb Size/MD5 checksum: 285308 6ea57ba9b419b77964812a93f959b98c ARM architecture: http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_0.99.14-1sarge0_arm.deb Size/MD5 checksum: 244796 64574178089a5c8ee75912adbe0aaf33 http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_0.99.14-1sarge0_arm.deb Size/MD5 checksum: 289624 5d4b172a52f4f23d9702348d03b35ff3 http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_0.99.14-1sarge0_arm.deb Size/MD5 checksum: 265496 3284fc52fd054f5545e8327cc0d39e7a Intel IA-32 architecture: http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_0.99.14-1sarge0_i386.deb Size/MD5 checksum: 245230 ba2e1bccd3d12180c2ec50d41102dde7 http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_0.99.14-1sarge0_i386.deb Size/MD5 checksum: 292656 00c0245e231a07bc05104c2b3113951b http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_0.99.14-1sarge0_i386.deb Size/MD5 checksum: 268158 9c061cc01ca82178530b6c47aad1120c Intel IA-64 architecture: http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_0.99.14-1sarge0_ia64.deb Size/MD5 checksum: 308824 fab290d2d317aa96a0111129214cf05e http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_0.99.14-1sarge0_ia64.deb Size/MD5 checksum: 429626 287f26ebef5de68a0867ef38fcba4aa0 http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_0.99.14-1sarge0_ia64.deb Size/MD5 checksum: 389276 f4cc53876bae4f3780eeb89465700c8f HP Precision architecture: http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_0.99.14-1sarge0_hppa.deb Size/MD5 checksum: 263982 2fefd32583dfff8410dbe14bc32c9771 http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_0.99.14-1sarge0_hppa.deb Size/MD5 checksum: 329758 1375b56509aee5b605ef3a290469d43c http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_0.99.14-1sarge0_hppa.deb Size/MD5 checksum: 301158 504332dbc815999c61b48d3eac4fb7a3 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_0.99.14-1sarge0_m68k.deb Size/MD5 checksum: 234130 a45c037148354769c27892781267485a http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_0.99.14-1sarge0_m68k.deb Size/MD5 checksum: 265658 a37e2a5eaa09a604dda421fafbd26b0c http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_0.99.14-1sarge0_m68k.deb Size/MD5 checksum: 243988 648469b9fdc01db53d142388b8cc2455 Big endian MIPS architecture: http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_0.99.14-1sarge0_mips.deb Size/MD5 checksum: 266612 709081de9bbd89abf7e604415c084336 http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_0.99.14-1sarge0_mips.deb Size/MD5 checksum: 335312 cd3c144f32e7e2f8b051c4038729d0db http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_0.99.14-1sarge0_mips.deb Size/MD5 checksum: 306346 324926cc8cd59c1752c28a5a5e3c82f0 Little endian MIPS architecture: http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_0.99.14-1sarge0_mipsel.deb Size/MD5 checksum: 266570 cf6172ff278d730828743d8d5c225c30 http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_0.99.14-1sarge0_mipsel.deb Size/MD5 checksum: 335318 48895c1e7d38310df3438b06c0bd0255 http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_0.99.14-1sarge0_mipsel.deb Size/MD5 checksum: 306390 0ad05fa2956bf634ab4ee5cb644f6776 PowerPC architecture: http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_0.99.14-1sarge0_powerpc.deb Size/MD5 checksum: 256774 4545dd863436ac5725b98dbfec1cd25e http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_0.99.14-1sarge0_powerpc.deb Size/MD5 checksum: 313862 2df352eced7aff6eda4e6e516b94c402 http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_0.99.14-1sarge0_powerpc.deb Size/MD5 checksum: 286772 06b25b73ede373b9b9bda930dc4afef9 IBM S/390 architecture: http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_0.99.14-1sarge0_s390.deb Size/MD5 checksum: 265964 9b18cdf5194db5a614e98c1a2e14f176 http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_0.99.14-1sarge0_s390.deb Size/MD5 checksum: 325310 a732511d63ed64239df43d09c0cd1afd http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_0.99.14-1sarge0_s390.deb Size/MD5 checksum: 297864 ebcf6c73b0b94f6b9fee1c85a04f4824 Sun Sparc architecture: http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_0.99.14-1sarge0_sparc.deb Size/MD5 checksum: 244540 87bb459d4c1eb6ed335dd57fee3fed0c http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_0.99.14-1sarge0_sparc.deb Size/MD5 checksum: 291136 5abab794ab7a53e83190a38a7185e648 http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_0.99.14-1sarge0_sparc.deb Size/MD5 checksum: 266018 c63b900e49e4769200aef6db7b6bccf0 These files will probably be moved into the stable distribution on its next update. - - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg> - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (GNU/Linux) iD8DBQFEep0/W5ql+IAeqTIRArPKAJ97LqMoapV3aqi/I5v8TI6Of3Oa7wCeLfmf uCktCQh0gxg44eK9g3IVaGA= =LHtI - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBRHulqCh9+71yA2DNAQLVrwP7BCp7DZWxc5HdPO8Cd2/HhYMAPD9VpdjP m5WW6EgG4N3d404O6pMXEYzLwBgyEEvNnGkjHrw90ZrrAH8A9udF8l+pv1qsjiFU wwphYjIRPLR0jibuvQmVpog9Ax2hD3+TtU/ssDDfETsDaWCqi0hnpayRDM/FBiS5 0G9Hxcooo+Q= =kTXl -----END PGP SIGNATURE-----