Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2008.0028 -- [UNIX/Linux][Debian]
New dovecot packages fix information disclosure
10 January 2008
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: dovecot
Publisher: Debian
Operating System: Debian GNU/Linux 4.0
UNIX variants (UNIX, Linux, OSX)
Impact: Inappropriate Access
Access: Remote/Unauthenticated
CVE Names: CVE-2007-6598
Original Bulletin: http://www.debian.org/security/2008/dsa-1457
Comment: This advisory references vulnerabilities in products which run on
platforms other than Debian. It is recommended that administrators
running dovecot check for an updated version of the software
for their operating system.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- - ------------------------------------------------------------------------
Debian Security Advisory DSA-1457-1 security@debian.org
http://www.debian.org/security/ Thijs Kinkhorst
January 09, 2008 http://www.debian.org/security/faq
- - ------------------------------------------------------------------------
Package : dovecot
Vulnerability : programming error
Problem-Type : remote
Debian-specific: no
CVE ID : CVE-2007-6598
It was discovered that Dovecot, a POP3 and IMAP server, only when used
with LDAP authentication and a base that contains variables, could allow
a user to log in to the account of another user with the same password.
For the unstable distribution (sid), this problem has been fixed in
version 1.0.10-1.
For the stable distribution (etch), this problem has been fixed in
version 1.0.rc15-2etch3.
The old stable distribution (sarge) is not affected.
We recommend that you upgrade your dovecot packages.
Upgrade instructions
- - --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian 4.0 (stable)
- - -------------------
Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
Source archives:
http://security.debian.org/pool/updates/main/d/dovecot/dovecot_1.0.rc15.orig.tar.gz
Size/MD5 checksum: 1463069 26f3d2b075856b1b1d180146363819e6
http://security.debian.org/pool/updates/main/d/dovecot/dovecot_1.0.rc15-2etch2.diff.gz
Size/MD5 checksum: 95447 4252a81404254f52b5e6c94a4de4523a
http://security.debian.org/pool/updates/main/d/dovecot/dovecot_1.0.rc15-2etch3.diff.gz
Size/MD5 checksum: 95500 0830883bb3ca7c2630997d965de70649
http://security.debian.org/pool/updates/main/d/dovecot/dovecot_1.0.rc15-2etch3.dsc
Size/MD5 checksum: 1007 5191ee3012a0cc39733193c0a252390b
http://security.debian.org/pool/updates/main/d/dovecot/dovecot_1.0.rc15-2etch2.dsc
Size/MD5 checksum: 1007 c3433847e48d110427082efcad604c01
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch3_alpha.deb
Size/MD5 checksum: 618976 eb902859a167ebafb599e61924acf195
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch3_alpha.deb
Size/MD5 checksum: 1374032 a3dcd337e6db9d0960c00bc338ef8ef2
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch3_alpha.deb
Size/MD5 checksum: 580876 bea05f9a7ea34106b4c24d616cc04b32
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch2_amd64.deb
Size/MD5 checksum: 1217404 d23db4b3ddd688c1fd2f1d071efbebb3
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch2_amd64.deb
Size/MD5 checksum: 568628 7e1bdb2f9f1b22d9195df779dc3a2c51
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch3_amd64.deb
Size/MD5 checksum: 534094 9c7af4af63a1e8fe9eefec8a47f12823
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch3_amd64.deb
Size/MD5 checksum: 568666 ef8531b8cf9e8bf4ef56e9d3ca856c30
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch2_amd64.deb
Size/MD5 checksum: 534050 12b89ff0b7b9401c53b92690bf271fa4
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch3_amd64.deb
Size/MD5 checksum: 1217440 e62e69df8289b9faf7dc784aa36653fb
arm architecture (ARM)
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch3_arm.deb
Size/MD5 checksum: 1118112 c3596a761103d16762e93c33d7f6e058
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch3_arm.deb
Size/MD5 checksum: 535328 033b84c6b155e0d3313d52e133293d3f
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch3_arm.deb
Size/MD5 checksum: 503874 cd1650904a0f228c6b98af6e1bdac58f
hppa architecture (HP PA RISC)
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch3_hppa.deb
Size/MD5 checksum: 596448 6f670915264fc88cdcf54d6f718271da
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch3_hppa.deb
Size/MD5 checksum: 559828 3cd525f298dd4f95ddafc60fa00af2ad
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch3_hppa.deb
Size/MD5 checksum: 1293898 32a6bc67694aab1fba397f9b746ec00d
i386 architecture (Intel ia32)
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch3_i386.deb
Size/MD5 checksum: 1127876 b720d23e84f19188a4a845a93e1afab5
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch3_i386.deb
Size/MD5 checksum: 512088 7f4afa3a1edcc4d9d609ec4e91804e7d
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch3_i386.deb
Size/MD5 checksum: 544222 ac00cab6f14766e6519106db934a346e
ia64 architecture (Intel ia64)
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch3_ia64.deb
Size/MD5 checksum: 733448 741376eac279addd80f1a5a4151c0190
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch3_ia64.deb
Size/MD5 checksum: 789836 1f324e98577f0813e0774aebdac4bf3c
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch3_ia64.deb
Size/MD5 checksum: 1694506 8fb22f4e16d8829c972eb47d87326442
mips architecture (MIPS (Big Endian))
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch3_mips.deb
Size/MD5 checksum: 593186 9429f09e56a17852ec0d4f1883a44418
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch3_mips.deb
Size/MD5 checksum: 557174 ad2533c8d9f24818de213ec1ee9e563c
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch3_mips.deb
Size/MD5 checksum: 1258326 faec7dd02f8997f5b61565d79b71dfe9
mipsel architecture (MIPS (Little Endian))
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch3_mipsel.deb
Size/MD5 checksum: 556708 e9a23056291e49b07720dfa128cf4355
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch3_mipsel.deb
Size/MD5 checksum: 592678 914d97a334c1e5d0c5da3419509053d7
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch3_mipsel.deb
Size/MD5 checksum: 1263238 51892e3eef20b05efdedafd93dfb8b27
powerpc architecture (PowerPC)
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch3_powerpc.deb
Size/MD5 checksum: 533692 37d655f8f22d8e63fe57f707746d108c
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch3_powerpc.deb
Size/MD5 checksum: 567296 c668c1a2296e5a54b4190608ae706564
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch3_powerpc.deb
Size/MD5 checksum: 1206504 556c296f2825c508775b5c910ad7f385
s390 architecture (IBM S/390)
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch3_s390.deb
Size/MD5 checksum: 592970 6cfce6df2d58abd7e5002394221a0fff
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch3_s390.deb
Size/MD5 checksum: 1284770 d60983cf66112e20a71441a8df3ce0ad
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch3_s390.deb
Size/MD5 checksum: 557700 a400bbead94536ffd9e6434426307d8c
sparc architecture (Sun SPARC/UltraSPARC)
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch3_sparc.deb
Size/MD5 checksum: 499754 c0dfefb92101b244c56221c32fd1170c
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch3_sparc.deb
Size/MD5 checksum: 1103550 dbb8d030cfd1a5e4029177e1251f578e
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch3_sparc.deb
Size/MD5 checksum: 531296 dd6dcf26a866c0590f4e8b746dc09bd4
These files will probably be moved into the stable distribution on
its next update.
- - ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFHhUctXm3vHE4uyloRAuD0AKDIe4vKOlDnBSB2qTpV7KHhGsPeQACfWdgs
AdPfywIwxYYP3rG84liTxdM=
=qN4+
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBR4VYayh9+71yA2DNAQLDugP8C9A7rx2hvuyq8ZT9LoQKYmIFUPUxyCx1
VbbWXtXeMfn2jvzxfGwfd4Bh194M8zkN8Jg2O/BvdCK4+8u8sTeN8RJXBQgQxD/9
lAikQ0PRy4gTGr0TcEvPPngcp7CO5jactPaDDyo3SGmqUKrZJ3A6sJ5Bi+nxhlCJ
v5gPpWZ0vbI=
=LTfX
-----END PGP SIGNATURE-----