Mandriva Linux Security Advisory 2008-232 - The ACL plugin in dovecot prior to version 1.1.4 treated negative access rights as though they were positive access rights, which allowed attackers to bypass intended access restrictions. The ACL plugin in dovecot prior to version 1.1.6 allowed attackers to bypass intended access restrictions by using the 'k' right to create unauthorized 'parent/child/child' mailboxes.
3dcb5d843d56558227e4581b0d21854b12e0ece4e41854a8044f583cb9217495
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2008:232
http://www.mandriva.com/security/
_______________________________________________________________________
Package : dovecot
Date : November 19, 2008
Affected: 2009.0
_______________________________________________________________________
Problem Description:
The ACL plugin in dovecot prior to version 1.1.4 treated negative
access rights as though they were positive access rights, which allowed
attackers to bypass intended access restrictions (CVE-2008-4577).
The ACL plugin in dovecot prior to version 1.1.6 allowed attackers to
bypass intended access restrictions by using the 'k' right to create
unauthorized 'parent/child/child' mailboxes (CVE-2008-4578).
In addition, two bugs were discovered in the dovecot package shipped
with Mandriva Linux 2009.0. The default permissions on the dovecot.conf
configuration file were too restrictive, which prevents the use of
dovecot's 'deliver' command as a non-root user. Secondly, dovecot
should not start until after ntpd, if ntpd is active, because if ntpd
corrects the time backwards while dovecot is running, dovecot will
quit automatically, with the log message 'Time just moved backwards
by X seconds. This might cause a lot of problems, so I'll just kill
myself now.' The update resolves both these problems. The default
permissions on dovecot.conf now allow the 'deliver' command to read the
file. Note that if you edited dovecot.conf at all prior to installing
the update, the new permissions may not be applied. If you find the
'deliver' command still does not work following the update, please
run these commands as root:
# chmod 0640 /etc/dovecot.conf
# chown root:mail /etc/dovecot.conf
Dovecot's initialization script now configures it to start after the
ntpd service, to ensure ntpd resetting the clock does not interfere
with Dovecot operation.
This package corrects the above-noted bugs and security issues by
upgrading to the latest dovecot 1.1.6, which also provides additional
bug fixes.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4577
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4578
https://qa.mandriva.com/44926
_______________________________________________________________________
Updated Packages:
Mandriva Linux 2009.0:
437fcab249d5274b3101bb7c953c2a79 2009.0/i586/dovecot-1.1.6-0.1mdv2009.0.i586.rpm
0ca908249ab050c56e61dadfd0fb1c33 2009.0/i586/dovecot-devel-1.1.6-0.1mdv2009.0.i586.rpm
48b2d085ef9a6a1c1dfcb55f3af6090b 2009.0/i586/dovecot-plugins-gssapi-1.1.6-0.1mdv2009.0.i586.rpm
8698367ab382293be85e3e7fb65b38ca 2009.0/i586/dovecot-plugins-ldap-1.1.6-0.1mdv2009.0.i586.rpm
c2878a5f597b8a9f66605df32cf65a06 2009.0/SRPMS/dovecot-1.1.6-0.1mdv2009.0.src.rpm
Mandriva Linux 2009.0/X86_64:
1c4936b072f401ea2c94c6c7b3d6b427 2009.0/x86_64/dovecot-1.1.6-0.1mdv2009.0.x86_64.rpm
5d869999de273e36c8bda186fb2610a0 2009.0/x86_64/dovecot-devel-1.1.6-0.1mdv2009.0.x86_64.rpm
9bc71b93dce1b7995039e0cbf7623803 2009.0/x86_64/dovecot-plugins-gssapi-1.1.6-0.1mdv2009.0.x86_64.rpm
264aaf2cbec7ef2ea7071f14b6bf174a 2009.0/x86_64/dovecot-plugins-ldap-1.1.6-0.1mdv2009.0.x86_64.rpm
c2878a5f597b8a9f66605df32cf65a06 2009.0/SRPMS/dovecot-1.1.6-0.1mdv2009.0.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFJJFP0mqjQ0CJFipgRAuoeAJ0WfJeaYMYjf3AqlqNMB5bgLqLUyACfVeUw
J+LV2A2JkunA7NIvHpNp96M=
=mVwB
-----END PGP SIGNATURE-----
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed