Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2008.0028 -- [UNIX/Linux][Debian] New dovecot packages fix information disclosure 10 January 2008 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: dovecot Publisher: Debian Operating System: Debian GNU/Linux 4.0 UNIX variants (UNIX, Linux, OSX) Impact: Inappropriate Access Access: Remote/Unauthenticated CVE Names: CVE-2007-6598 Original Bulletin: http://www.debian.org/security/2008/dsa-1457 Comment: This advisory references vulnerabilities in products which run on platforms other than Debian. It is recommended that administrators running dovecot check for an updated version of the software for their operating system. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - ------------------------------------------------------------------------ Debian Security Advisory DSA-1457-1 security@debian.org http://www.debian.org/security/ Thijs Kinkhorst January 09, 2008 http://www.debian.org/security/faq - - ------------------------------------------------------------------------ Package : dovecot Vulnerability : programming error Problem-Type : remote Debian-specific: no CVE ID : CVE-2007-6598 It was discovered that Dovecot, a POP3 and IMAP server, only when used with LDAP authentication and a base that contains variables, could allow a user to log in to the account of another user with the same password. For the unstable distribution (sid), this problem has been fixed in version 1.0.10-1. For the stable distribution (etch), this problem has been fixed in version 1.0.rc15-2etch3. The old stable distribution (sarge) is not affected. We recommend that you upgrade your dovecot packages. Upgrade instructions - - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian 4.0 (stable) - - ------------------- Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/d/dovecot/dovecot_1.0.rc15.orig.tar.gz Size/MD5 checksum: 1463069 26f3d2b075856b1b1d180146363819e6 http://security.debian.org/pool/updates/main/d/dovecot/dovecot_1.0.rc15-2etch2.diff.gz Size/MD5 checksum: 95447 4252a81404254f52b5e6c94a4de4523a http://security.debian.org/pool/updates/main/d/dovecot/dovecot_1.0.rc15-2etch3.diff.gz Size/MD5 checksum: 95500 0830883bb3ca7c2630997d965de70649 http://security.debian.org/pool/updates/main/d/dovecot/dovecot_1.0.rc15-2etch3.dsc Size/MD5 checksum: 1007 5191ee3012a0cc39733193c0a252390b http://security.debian.org/pool/updates/main/d/dovecot/dovecot_1.0.rc15-2etch2.dsc Size/MD5 checksum: 1007 c3433847e48d110427082efcad604c01 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch3_alpha.deb Size/MD5 checksum: 618976 eb902859a167ebafb599e61924acf195 http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch3_alpha.deb Size/MD5 checksum: 1374032 a3dcd337e6db9d0960c00bc338ef8ef2 http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch3_alpha.deb Size/MD5 checksum: 580876 bea05f9a7ea34106b4c24d616cc04b32 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch2_amd64.deb Size/MD5 checksum: 1217404 d23db4b3ddd688c1fd2f1d071efbebb3 http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch2_amd64.deb Size/MD5 checksum: 568628 7e1bdb2f9f1b22d9195df779dc3a2c51 http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch3_amd64.deb Size/MD5 checksum: 534094 9c7af4af63a1e8fe9eefec8a47f12823 http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch3_amd64.deb Size/MD5 checksum: 568666 ef8531b8cf9e8bf4ef56e9d3ca856c30 http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch2_amd64.deb Size/MD5 checksum: 534050 12b89ff0b7b9401c53b92690bf271fa4 http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch3_amd64.deb Size/MD5 checksum: 1217440 e62e69df8289b9faf7dc784aa36653fb arm architecture (ARM) http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch3_arm.deb Size/MD5 checksum: 1118112 c3596a761103d16762e93c33d7f6e058 http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch3_arm.deb Size/MD5 checksum: 535328 033b84c6b155e0d3313d52e133293d3f http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch3_arm.deb Size/MD5 checksum: 503874 cd1650904a0f228c6b98af6e1bdac58f hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch3_hppa.deb Size/MD5 checksum: 596448 6f670915264fc88cdcf54d6f718271da http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch3_hppa.deb Size/MD5 checksum: 559828 3cd525f298dd4f95ddafc60fa00af2ad http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch3_hppa.deb Size/MD5 checksum: 1293898 32a6bc67694aab1fba397f9b746ec00d i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch3_i386.deb Size/MD5 checksum: 1127876 b720d23e84f19188a4a845a93e1afab5 http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch3_i386.deb Size/MD5 checksum: 512088 7f4afa3a1edcc4d9d609ec4e91804e7d http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch3_i386.deb Size/MD5 checksum: 544222 ac00cab6f14766e6519106db934a346e ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch3_ia64.deb Size/MD5 checksum: 733448 741376eac279addd80f1a5a4151c0190 http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch3_ia64.deb Size/MD5 checksum: 789836 1f324e98577f0813e0774aebdac4bf3c http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch3_ia64.deb Size/MD5 checksum: 1694506 8fb22f4e16d8829c972eb47d87326442 mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch3_mips.deb Size/MD5 checksum: 593186 9429f09e56a17852ec0d4f1883a44418 http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch3_mips.deb Size/MD5 checksum: 557174 ad2533c8d9f24818de213ec1ee9e563c http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch3_mips.deb Size/MD5 checksum: 1258326 faec7dd02f8997f5b61565d79b71dfe9 mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch3_mipsel.deb Size/MD5 checksum: 556708 e9a23056291e49b07720dfa128cf4355 http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch3_mipsel.deb Size/MD5 checksum: 592678 914d97a334c1e5d0c5da3419509053d7 http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch3_mipsel.deb Size/MD5 checksum: 1263238 51892e3eef20b05efdedafd93dfb8b27 powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch3_powerpc.deb Size/MD5 checksum: 533692 37d655f8f22d8e63fe57f707746d108c http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch3_powerpc.deb Size/MD5 checksum: 567296 c668c1a2296e5a54b4190608ae706564 http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch3_powerpc.deb Size/MD5 checksum: 1206504 556c296f2825c508775b5c910ad7f385 s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch3_s390.deb Size/MD5 checksum: 592970 6cfce6df2d58abd7e5002394221a0fff http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch3_s390.deb Size/MD5 checksum: 1284770 d60983cf66112e20a71441a8df3ce0ad http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch3_s390.deb Size/MD5 checksum: 557700 a400bbead94536ffd9e6434426307d8c sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch3_sparc.deb Size/MD5 checksum: 499754 c0dfefb92101b244c56221c32fd1170c http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch3_sparc.deb Size/MD5 checksum: 1103550 dbb8d030cfd1a5e4029177e1251f578e http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch3_sparc.deb Size/MD5 checksum: 531296 dd6dcf26a866c0590f4e8b746dc09bd4 These files will probably be moved into the stable distribution on its next update. - - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg> - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFHhUctXm3vHE4uyloRAuD0AKDIe4vKOlDnBSB2qTpV7KHhGsPeQACfWdgs AdPfywIwxYYP3rG84liTxdM= =qN4+ - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBR4VYayh9+71yA2DNAQLDugP8C9A7rx2hvuyq8ZT9LoQKYmIFUPUxyCx1 VbbWXtXeMfn2jvzxfGwfd4Bh194M8zkN8Jg2O/BvdCK4+8u8sTeN8RJXBQgQxD/9 lAikQ0PRy4gTGr0TcEvPPngcp7CO5jactPaDDyo3SGmqUKrZJ3A6sJ5Bi+nxhlCJ v5gPpWZ0vbI= =LTfX -----END PGP SIGNATURE-----