Debian: New dovecot packages fix privilege escalation

    Date14 Mar 2008
    CategoryDebian
    1805
    Posted ByLinuxSecurity Advisories
    Prior to this update, the default configuration for Dovecot used by Debian runs the server daemons with group mail privileges. This means that users with write access to their mail directory by other means (for example, through an SSH login) could read mailboxes owned by other users for which they do not have direct write access (CVE-2008-1199). In addition, an internal interpretation conflict in password handling has been addressed proactively, even though it is not known to be exploitable.
    - ----------------------------------------------------------------------
    Debian Security Advisory DSA-1516-1                This email address is being protected from spambots. You need JavaScript enabled to view it.
    http://www.debian.org/security/                         Florian Weimer
    March 14, 2008                      http://www.debian.org/security/faq
    - ----------------------------------------------------------------------
    
    Package        : dovecot
    Vulnerability  : privilege escalation
    Problem type   : local
    Debian-specific: no
    CVE Id(s)      : CVE-2008-1199 CVE-2008-1218
    Debian Bug     : 469457
    
    Prior to this update, the default configuration for Dovecot used by
    Debian runs the server daemons with group mail privileges.  This means
    that users with write access to their mail directory by other means
    (for example, through an SSH login) could read mailboxes owned by
    other users for which they do not have direct write access
    (CVE-2008-1199).  In addition, an internal interpretation conflict in
    password handling has been addressed proactively, even though it is
    not known to be exploitable (CVE-2008-1218).
    
    Note that applying this update requires manual action: The
    configuration setting "mail_extra_groups = mail" has been replaced
    with "mail_privileged_group = mail".  The update will show a
    configuration file conflict in /etc/dovecot/dovecot.conf.  It is
    recommended that you keep the currently installed configuration file,
    and change the affected line.  For your reference, the sample
    configuration (without your local changes) will have been written to
    /etc/dovecot/dovecot.conf.dpkg-new.
    
    If your current configuration uses mail_extra_groups with a value
    different from "mail", you may have to resort to the
    mail_access_groups configuration directive.
    
    For the stable distribution (etch), these problems have been fixed in
    version 1.0.rc15-2etch4.
    
    For the unstable distribution (sid), these problems have been fixed in
    version 1.0.13-1.
    
    For the old stable distribution (sarge), no updates are provided.
    We recommend that you consider upgrading to the stable distribution.
    
    Upgrade instructions
    - --------------------
    
    wget url
            will fetch the file for you
    dpkg -i file.deb
            will install the referenced file.
    
    If you are using the apt-get package manager, use the line for
    sources.list as given below:
    
    apt-get update
            will update the internal database
    apt-get upgrade
            will install corrected packages
    
    You may use an automated update by adding the resources from the
    footer to the proper configuration.
    
    
    Debian GNU/Linux 4.0 alias etch
    - -------------------------------
    
    Source archives:
    
      http://security.debian.org/pool/updates/main/d/dovecot/dovecot_1.0.rc15-2etch4.dsc
        Size/MD5 checksum:     1300 8146ccf246ed64e1ac8c0127489ec798
      http://security.debian.org/pool/updates/main/d/dovecot/dovecot_1.0.rc15.orig.tar.gz
        Size/MD5 checksum:  1463069 26f3d2b075856b1b1d180146363819e6
      http://security.debian.org/pool/updates/main/d/dovecot/dovecot_1.0.rc15-2etch4.diff.gz
        Size/MD5 checksum:   102991 21959fc45cf0f8932fa9eb890791ff39
    
    alpha architecture (DEC Alpha)
    
      http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch4_alpha.deb
        Size/MD5 checksum:   583482 a0d18885da096140ceb4110d525569d4
      http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch4_alpha.deb
        Size/MD5 checksum:  1379844 6103bce830848d3f9bb4347f5c9b94f0
      http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch4_alpha.deb
        Size/MD5 checksum:   621320 48127903af1fe2130cb84c57e5a607ff
    
    amd64 architecture (AMD x86_64 (AMD64))
    
      http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch4_amd64.deb
        Size/MD5 checksum:  1222430 1c2e1ffeb6bf745ed88cde01c62d264a
      http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch4_amd64.deb
        Size/MD5 checksum:   536634 4f64ed0cc16510e9c3d709342b3c57ca
      http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch4_amd64.deb
        Size/MD5 checksum:   569588 c17bac715f188f55ae20e5a3c95109b1
    
    arm architecture (ARM)
    
      http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch4_arm.deb
        Size/MD5 checksum:  1123030 47eb9fddcc68c2c213afa10c8e3d8747
      http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch4_arm.deb
        Size/MD5 checksum:   506134 0f4d939f2cf68f4e5b01140c846e50bc
      http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch4_arm.deb
        Size/MD5 checksum:   537564 82310ae4e42406429f8ade7cbb81abf0
    
    hppa architecture (HP PA RISC)
    
      http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch4_hppa.deb
        Size/MD5 checksum:  1298818 603d12284115b6349e1d0334263d2af0
      http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch4_hppa.deb
        Size/MD5 checksum:   562192 413ac964849698428c1b08e9cc9075bc
      http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch4_hppa.deb
        Size/MD5 checksum:   598934 811c32b5c7e2009e5bf2f0ee0ea26859
    
    i386 architecture (Intel ia32)
    
      http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch4_i386.deb
        Size/MD5 checksum:  1133484 3bf26ab783ddffed0b3c5ee53225ba20
      http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch4_i386.deb
        Size/MD5 checksum:   546528 d53c11fd1c39870bd208d684e70e7551
      http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch4_i386.deb
        Size/MD5 checksum:   514280 e85dcbcdd9b85f6e09cdeb4c82b47916
    
    ia64 architecture (Intel ia64)
    
      http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch4_ia64.deb
        Size/MD5 checksum:   793878 106fe266dd26373615772b4e3636a914
      http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch4_ia64.deb
        Size/MD5 checksum:   737582 18b15162711b22a704d0ff1ff26e0261
      http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch4_ia64.deb
        Size/MD5 checksum:  1701788 7535b0a3407f664efa66bcf86966ff85
    
    mips architecture (MIPS (Big Endian))
    
      http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch4_mips.deb
        Size/MD5 checksum:   559520 96d7ff1bbd3a38fbdd3bd06b4bc939fb
      http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch4_mips.deb
        Size/MD5 checksum:   594680 41536feb8048183b78f0d1742278520c
      http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch4_mips.deb
        Size/MD5 checksum:  1265800 a42823e1253c78709d5d1c18668d9b40
    
    mipsel architecture (MIPS (Little Endian))
    
      http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch4_mipsel.deb
        Size/MD5 checksum:  1268408 25c8582fea24e3174283066b7c8b6525
      http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch4_mipsel.deb
        Size/MD5 checksum:   594912 264c368593a3fe7a9268aadee2ab1292
      http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch4_mipsel.deb
        Size/MD5 checksum:   558832 d2a20bbfe49d234d0f3c7911c17c9bfb
    
    powerpc architecture (PowerPC)
    
      http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch4_powerpc.deb
        Size/MD5 checksum:   569772 e49cc25c54e4fa88217e0fa555de6039
      http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch4_powerpc.deb
        Size/MD5 checksum:   536000 92330b2d1fa2ae8bf6c1b8f05cea3d59
      http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch4_powerpc.deb
        Size/MD5 checksum:  1212096 e2339d417408e14eba21b28684926a5b
    
    s390 architecture (IBM S/390)
    
      http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch4_s390.deb
        Size/MD5 checksum:   559786 3f7faca1fa56aa29a013068e14e7fada
      http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch4_s390.deb
        Size/MD5 checksum:  1290186 5b8722445aab8b59ba15beae695e7f77
      http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch4_s390.deb
        Size/MD5 checksum:   595498 ad3af123ee9c10dece62ff7cf0e84b35
    
    sparc architecture (Sun SPARC/UltraSPARC)
    
      http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch4_sparc.deb
        Size/MD5 checksum:   533482 576d0f5a1a733dad01c868095488afcf
      http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch4_sparc.deb
        Size/MD5 checksum:  1108250 1ac8086c83312fec554abd74074cf7b2
      http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch4_sparc.deb
        Size/MD5 checksum:   501514 27d4aa890df60532d0a33167df7af219
    
    
      These files will probably be moved into the stable distribution on
      its next update.
    
    - ---------------------------------------------------------------------------------
    For apt-get: deb http://security.debian.org/ stable/updates main
    For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
    Mailing list: This email address is being protected from spambots. You need JavaScript enabled to view it.
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"14","type":"x","order":"1","pct":53.85,"resources":[]},{"id":"88","title":"Should be more technical","votes":"4","type":"x","order":"2","pct":15.38,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"8","type":"x","order":"3","pct":30.77,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.