-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2008:232 http://www.mandriva.com/security/ _______________________________________________________________________ Package : dovecot Date : November 19, 2008 Affected: 2009.0 _______________________________________________________________________ Problem Description: The ACL plugin in dovecot prior to version 1.1.4 treated negative access rights as though they were positive access rights, which allowed attackers to bypass intended access restrictions (CVE-2008-4577). The ACL plugin in dovecot prior to version 1.1.6 allowed attackers to bypass intended access restrictions by using the 'k' right to create unauthorized 'parent/child/child' mailboxes (CVE-2008-4578). In addition, two bugs were discovered in the dovecot package shipped with Mandriva Linux 2009.0. The default permissions on the dovecot.conf configuration file were too restrictive, which prevents the use of dovecot's 'deliver' command as a non-root user. Secondly, dovecot should not start until after ntpd, if ntpd is active, because if ntpd corrects the time backwards while dovecot is running, dovecot will quit automatically, with the log message 'Time just moved backwards by X seconds. This might cause a lot of problems, so I'll just kill myself now.' The update resolves both these problems. The default permissions on dovecot.conf now allow the 'deliver' command to read the file. Note that if you edited dovecot.conf at all prior to installing the update, the new permissions may not be applied. If you find the 'deliver' command still does not work following the update, please run these commands as root: # chmod 0640 /etc/dovecot.conf # chown root:mail /etc/dovecot.conf Dovecot's initialization script now configures it to start after the ntpd service, to ensure ntpd resetting the clock does not interfere with Dovecot operation. This package corrects the above-noted bugs and security issues by upgrading to the latest dovecot 1.1.6, which also provides additional bug fixes. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4577 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4578 https://qa.mandriva.com/44926 _______________________________________________________________________ Updated Packages: Mandriva Linux 2009.0: 437fcab249d5274b3101bb7c953c2a79 2009.0/i586/dovecot-1.1.6-0.1mdv2009.0.i586.rpm 0ca908249ab050c56e61dadfd0fb1c33 2009.0/i586/dovecot-devel-1.1.6-0.1mdv2009.0.i586.rpm 48b2d085ef9a6a1c1dfcb55f3af6090b 2009.0/i586/dovecot-plugins-gssapi-1.1.6-0.1mdv2009.0.i586.rpm 8698367ab382293be85e3e7fb65b38ca 2009.0/i586/dovecot-plugins-ldap-1.1.6-0.1mdv2009.0.i586.rpm c2878a5f597b8a9f66605df32cf65a06 2009.0/SRPMS/dovecot-1.1.6-0.1mdv2009.0.src.rpm Mandriva Linux 2009.0/X86_64: 1c4936b072f401ea2c94c6c7b3d6b427 2009.0/x86_64/dovecot-1.1.6-0.1mdv2009.0.x86_64.rpm 5d869999de273e36c8bda186fb2610a0 2009.0/x86_64/dovecot-devel-1.1.6-0.1mdv2009.0.x86_64.rpm 9bc71b93dce1b7995039e0cbf7623803 2009.0/x86_64/dovecot-plugins-gssapi-1.1.6-0.1mdv2009.0.x86_64.rpm 264aaf2cbec7ef2ea7071f14b6bf174a 2009.0/x86_64/dovecot-plugins-ldap-1.1.6-0.1mdv2009.0.x86_64.rpm c2878a5f597b8a9f66605df32cf65a06 2009.0/SRPMS/dovecot-1.1.6-0.1mdv2009.0.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFJJFP0mqjQ0CJFipgRAuoeAJ0WfJeaYMYjf3AqlqNMB5bgLqLUyACfVeUw J+LV2A2JkunA7NIvHpNp96M= =mVwB -----END PGP SIGNATURE-----