Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 556
Alerts This Week
Warning Icon 1 556

Scientific Linux: CVE-2011-2166 Low: Dovecot Access Restrictions Issue

Scientific Large Esm H446
Low: dovecot security and bug fix update
Date: Mon, 4 Mar 2013 13:09:42 -0600
Reply-To: Pat Riehecky 
Sender: Security Errata for Scientific Linux
 
From: Pat Riehecky 
Organization: Fermilab
Subject: Security ERRATA Low: dovecot on SL6.x i386/x86_64
MIME-Version: 1.0

Synopsis: Low: dovecot security and bug fix update
Issue Date: 2013-02-21
CVE Numbers: CVE-2011-2166
 CVE-2011-2167
 CVE-2011-4318
--

Two flaws were found in the way some settings were enforced by the
script-login
functionality of Dovecot. A remote, authenticated user could use these
flaws to
bypass intended access restrictions or conduct a directory traversal
attack by
leveraging login scripts. (CVE-2011-2166, CVE-2011-2167)

A flaw was found in the way Dovecot performed remote server identity
verification, when it was configured to proxy IMAP and POP3 connections to
remote hosts using TLS/SSL protocols. A remote attacker could use this
flaw to
conduct man-in-the-middle attacks using an X.509 certificate issued by a
trusted Certificate Authority (for a different name). (CVE-2011-4318)

This update also fixes the following bug:

* When a new user first accessed their IMAP inbox, Dovecot was, under some
circumstances, unable to change the group ownership of the inbox
directory in
the user's Maildir location to match that of the user's mail spool
(/var/mail/$USER). This correctly generated an "Internal error occurred"
message. However, with a subsequent attempt to access the inbox, Dovecot saw
that the directory already existed and proceeded with its operation, leaving
the directory with incorrectly set permissions. This update corrects the
underlying permissions setting error. When a new user now accesses their
inbox
for the first time, and it is not possible to set group ownership, Dovecot
removes the created directory and generates an error message instead of
keeping
the directory with incorrect group ownership.

After installing the updated packages, the dovecot service will be restarted
automatically.
--

SL6
 x86_64
 dovecot-2.0.9-5.el6.i686.rpm
 dovecot-2.0.9-5.el6.x86_64.rpm
 dovecot-debuginfo-2.0.9-5.el6.i686.rpm
 dovecot-debuginfo-2.0.9-5.el6.x86_64.rpm
 dovecot-mysql-2.0.9-5.el6.x86_64.rpm
 dovecot-pgsql-2.0.9-5.el6.x86_64.rpm
 dovecot-pigeonhole-2.0.9-5.el6.x86_64.rpm
 dovecot-devel-2.0.9-5.el6.x86_64.rpm
 i386
 dovecot-2.0.9-5.el6.i686.rpm
 dovecot-debuginfo-2.0.9-5.el6.i686.rpm
 dovecot-mysql-2.0.9-5.el6.i686.rpm
 dovecot-pgsql-2.0.9-5.el6.i686.rpm
 dovecot-pigeonhole-2.0.9-5.el6.i686.rpm
 dovecot-devel-2.0.9-5.el6.i686.rpm

- Scientific Linux Development Team