Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2011.0146
Dovecot vulnerabilities
9 February 2011
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: dovecot
Publisher: Ubuntu
Operating System: Ubuntu
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Denial of Service -- Existing Account
Unauthorised Access -- Existing Account
Read-only Data Access -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2010-3780 CVE-2010-3779 CVE-2010-3707
CVE-2010-3706 CVE-2010-3304
Reference: ESB-2010.1002
Original Bulletin:
http://www.ubuntu.com/usn/usn-1059-1
Comment: This advisory references vulnerabilities in products which run on
platforms other than Ubuntu. It is recommended that administrators
running dovecot check for an updated version of the software for
their operating system.
- --------------------------BEGIN INCLUDED TEXT--------------------
===========================================================
Ubuntu Security Notice USN-1059-1 February 07, 2011
dovecot vulnerabilities
CVE-2010-3304, CVE-2010-3706, CVE-2010-3707, CVE-2010-3779,
CVE-2010-3780
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 10.04 LTS
Ubuntu 10.10
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 10.04 LTS:
dovecot-common 1:1.2.9-1ubuntu6.3
Ubuntu 10.10:
dovecot-common 1:1.2.12-1ubuntu8.1
In general, a standard system update will make all the necessary changes.
Details follow:
It was discovered that the ACL plugin in Dovecot would incorrectly
propagate ACLs to new mailboxes. A remote authenticated user could possibly
read new mailboxes that were created with the wrong ACL. (CVE-2010-3304)
It was discovered that the ACL plugin in Dovecot would incorrectly merge
ACLs in certain circumstances. A remote authenticated user could possibly
bypass intended access restrictions and gain access to mailboxes.
(CVE-2010-3706, CVE-2010-3707)
It was discovered that the ACL plugin in Dovecot would incorrectly grant
the admin permission to owners of certain mailboxes. A remote authenticated
user could possibly bypass intended access restrictions and gain access to
mailboxes. (CVE-2010-3779)
It was discovered that Dovecot incorrecly handled the simultaneous
disconnect of a large number of sessions. A remote authenticated user could
use this flaw to cause Dovecot to crash, resulting in a denial of service.
(CVE-2010-3780)
Updated packages for Ubuntu 10.04 LTS:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_1.2.9-1ub=
untu6.3.debian.tar.gz
Size/MD5: 1418658 e63585f0ff54bca7e0bf13cfc231b71f
http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_1.2.9-1ub=
untu6.3.dsc
Size/MD5: 2318 fec51e228070f787fb056143796db75c
http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_1.2.9.ori=
g.tar.gz
Size/MD5: 2889394 036ff97fb248dae3bd4b796a0644634f
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-postfix_1=
.2.9-1ubuntu6.3_all.deb
Size/MD5: 517504 dbca36979cd97e82d8aa5a97e677ae09
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-common_1.=
2.9-1ubuntu6.3_amd64.deb
Size/MD5: 5512258 e5d7ae5b2c55b255804a0f3996edb3fe
http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-dbg_1.2.9=
- -1ubuntu6.3_amd64.deb
Size/MD5: 14963328 1ccfc078b3230a780306bde804bfaba3
http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-dev_1.2.9=
- -1ubuntu6.3_amd64.deb
Size/MD5: 659902 1581f01ffeb79f2660cd36ff5bd71ffc
http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-imapd_1.2=
.9-1ubuntu6.3_amd64.deb
Size/MD5: 1200744 aa69e75cf135728602d79ba246573527
http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-pop3d_1.2=
.9-1ubuntu6.3_amd64.deb
Size/MD5: 1093072 6eee0eeb2518e04cb1a2144f7f17d3d4
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-common_1.=
2.9-1ubuntu6.3_i386.deb
Size/MD5: 5216218 25ec6a29054490f2c375afff3c32da4c
http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-dbg_1.2.9=
- -1ubuntu6.3_i386.deb
Size/MD5: 14832598 ff39bdbfadc6db0fe3f065e41ee814fd
http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-dev_1.2.9=
- -1ubuntu6.3_i386.deb
Size/MD5: 659420 b17a74bc656c284905f56c0a57ce4967
http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-imapd_1.2=
.9-1ubuntu6.3_i386.deb
Size/MD5: 1165324 90896ac034e6f8330941ccdcbbb89706
http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-pop3d_1.2=
.9-1ubuntu6.3_i386.deb
Size/MD5: 1064182 208bf8c365d586b448a4dd9b1f35348c
armel architecture (ARM Architecture):
http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-common_1.2.9-1ubunt=
u6.3_armel.deb
Size/MD5: 4884006 b25ca8e16b8b3cc6b35668ccc61acee4
http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-dbg_1.2.9-1ubuntu6.=
3_armel.deb
Size/MD5: 15029038 cfeb4beeab0436c51610548891daeb3b
http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-dev_1.2.9-1ubuntu6.=
3_armel.deb
Size/MD5: 659290 a76eba105ff7737ea253ea4e47630df9
http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-imapd_1.2.9-1ubuntu=
6.3_armel.deb
Size/MD5: 1117728 0a9ac5eed3e7ee4cedbbce7fb4d00f4e
http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-pop3d_1.2.9-1ubuntu=
6.3_armel.deb
Size/MD5: 1022380 4b2ef79d7af993f14f1fe4f98763ef8a
powerpc architecture (Apple Macintosh G3/G4/G5):
http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-common_1.2.9-1ubunt=
u6.3_powerpc.deb
Size/MD5: 5569840 8684510a8a22672e6d392b00bc8509b2
http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-dbg_1.2.9-1ubuntu6.=
3_powerpc.deb
Size/MD5: 15366966 e99997cb326c9803f63ab53211c3fe1f
http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-dev_1.2.9-1ubuntu6.=
3_powerpc.deb
Size/MD5: 656482 59256f0c930f644d6b0adc995daa8a9a
http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-imapd_1.2.9-1ubuntu=
6.3_powerpc.deb
Size/MD5: 1219628 66118e59a5ed500f754b00c2b4a645f0
http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-pop3d_1.2.9-1ubuntu=
6.3_powerpc.deb
Size/MD5: 1107240 76e505910a9d9120b27228b6f46483ea
sparc architecture (Sun SPARC/UltraSPARC):
http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-common_1.2.9-1ubunt=
u6.3_sparc.deb
Size/MD5: 5315260 91239166c042cb1776f53aec4942bd9c
http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-dbg_1.2.9-1ubuntu6.=
3_sparc.deb
Size/MD5: 14201530 400e1594cc8dc50607a6e30bc2409910
http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-dev_1.2.9-1ubuntu6.=
3_sparc.deb
Size/MD5: 656468 d61d6e6bde0d48346018a432badee15e
http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-imapd_1.2.9-1ubuntu=
6.3_sparc.deb
Size/MD5: 1189960 8c93283a7425f5ffb2cba844edf6db56
http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-pop3d_1.2.9-1ubuntu=
6.3_sparc.deb
Size/MD5: 1081132 ca8c6c4944e22f23fcdde4b55374e41d
Updated packages for Ubuntu 10.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_1.2.12-1u=
buntu8.1.debian.tar.gz
Size/MD5: 1538312 e1d8c3fe8f56021c4c12d8c334412f0b
http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_1.2.12-1u=
buntu8.1.dsc
Size/MD5: 2347 8ede599bb24182293c4d6151c3f5c34a
http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_1.2.12.or=
ig.tar.gz
Size/MD5: 2882517 cc8e5c53cd0943ce0b5e1087356ad4ea
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-postfix_1=
.2.12-1ubuntu8.1_all.deb
Size/MD5: 522198 b5ee6b912defe13e6899cba856c03836
http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/mail-stack-delive=
ry_1.2.12-1ubuntu8.1_all.deb
Size/MD5: 525996 063bf23bee428827de152998fce3855f
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-common_1.=
2.12-1ubuntu8.1_amd64.deb
Size/MD5: 5561644 edb933283a0b70dd78c9be26b6d23dbb
http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-dbg_1.2.1=
2-1ubuntu8.1_amd64.deb
Size/MD5: 15315074 0db6f32bbdc1cfd4f61ebb3ede83bf67
http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-dev_1.2.1=
2-1ubuntu8.1_amd64.deb
Size/MD5: 664354 359aff3615bb4c929a23e3f7d34b0817
http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-imapd_1.2=
.12-1ubuntu8.1_amd64.deb
Size/MD5: 1202962 01e84db943a506d3e449ec7198be115c
http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-pop3d_1.2=
.12-1ubuntu8.1_amd64.deb
Size/MD5: 1096030 409378f2fd83bf1db66383bd30f80c4d
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-common_1.=
2.12-1ubuntu8.1_i386.deb
Size/MD5: 5246496 17d4a818b64e265f244a0110d027a33d
http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-dbg_1.2.1=
2-1ubuntu8.1_i386.deb
Size/MD5: 15173598 dbadcbf9c428b908f074f29b9687fb1f
http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-dev_1.2.1=
2-1ubuntu8.1_i386.deb
Size/MD5: 664386 c8b2ffd0f0ae892fd792d71b11f29658
http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-imapd_1.2=
.12-1ubuntu8.1_i386.deb
Size/MD5: 1166874 2d6b53c0113f91db83d0497d878fccb4
http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-pop3d_1.2=
.12-1ubuntu8.1_i386.deb
Size/MD5: 1065500 17fddc68c95dbfdce3d74812a707eca3
armel architecture (ARM Architecture):
http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-common_1.2.12-1ubun=
tu8.1_armel.deb
Size/MD5: 5262734 38a9be4a1b9a2cedaa9c9eb3c16c79b5
http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-dbg_1.2.12-1ubuntu8=
.1_armel.deb
Size/MD5: 15518084 b8c34a059e680d8e6277bfd413dd95b3
http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-dev_1.2.12-1ubuntu8=
.1_armel.deb
Size/MD5: 667334 a37e1a557224328422e4bbe989f831e3
http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-imapd_1.2.12-1ubunt=
u8.1_armel.deb
Size/MD5: 1169838 945c88bfb26e32c828bccc72f4fe0ad3
http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-pop3d_1.2.12-1ubunt=
u8.1_armel.deb
Size/MD5: 1069910 444e4fde0cabe6ec435c539fdb7fd87b
powerpc architecture (Apple Macintosh G3/G4/G5):
http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-common_1.2.12-1ubun=
tu8.1_powerpc.deb
Size/MD5: 5615034 3462d60a1c4d7b2510ca5721a0ea6726
http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-dbg_1.2.12-1ubuntu8=
.1_powerpc.deb
Size/MD5: 15747518 a38d8e6c790a1c2beb528a0b8c7a92ce
http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-dev_1.2.12-1ubuntu8=
.1_powerpc.deb
Size/MD5: 664372 9e5f5e9164c8537092faeab594f21083
http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-imapd_1.2.12-1ubunt=
u8.1_powerpc.deb
Size/MD5: 1220492 88d7ed99069a33560387e93f8e3d3b29
http://ports.ubuntu.com/pool/main/d/dovecot/dovecot-pop3d_1.2.12-1ubunt=
u8.1_powerpc.deb
Size/MD5: 1109338 63407bf75988c92d4279229280591ce6
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iD8DBQFNUfe3/iFOrG6YcBERAmRhAKCZoYamWzEE2RovJkAX+83AFlVAHQCfdYJP
BA75sngRF+McGZtfkXqF03U=
=nAi4
-----END PGP SIGNATURE-----