-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------ Debian Security Advisory DSA-1892-1 security@debian.org http://www.debian.org/security/ Giuseppe Iuculano September 23, 2009 http://www.debian.org/security/faq - ------------------------------------------------------------------------ Packages : dovecot Vulnerability : buffer overflow Problem type : local (remote) Debian-specific: no CVE IDs : CVE-2009-2632 CVE-2009-3235 Debian Bug : 546656 It was discovered that the SIEVE component of dovecot, a mail server that supports mbox and maildir mailboxes, is vulnerable to a buffer overflow when processing SIEVE scripts. This can be used to elevate privileges to the dovecot system user. An attacker who is able to install SIEVE scripts executed by the server is therefore able to read and modify arbitrary email messages on the system. For the oldstable distribution (etch), this problem has been fixed in version 1.0.rc15-2etch5. For the stable distribution (lenny), this problem has been fixed in version 1:1.0.15-2.3+lenny1. For the testing distribution (squeeze) and the unstable distribution (sid), this problem has been fixed in version 1:1.2.1-1. We recommend that you upgrade your dovecot packages. Upgrade instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - ------------------------------- Debian (oldstable) - ------------------ Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/d/dovecot/dovecot_1.0.rc15-2etch5.diff.gz Size/MD5 checksum: 105496 25968ea91265d9c79869fd13e1cf18a7 http://security.debian.org/pool/updates/main/d/dovecot/dovecot_1.0.rc15.orig.tar.gz Size/MD5 checksum: 1463069 26f3d2b075856b1b1d180146363819e6 http://security.debian.org/pool/updates/main/d/dovecot/dovecot_1.0.rc15-2etch5.dsc Size/MD5 checksum: 1017 69660b4d8bd4c443a9e6a445cee73ae4 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch5_alpha.deb Size/MD5 checksum: 583336 05cdd40c7eca4f076ebe18629d497b3b http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch5_alpha.deb Size/MD5 checksum: 621512 58f8c92c7567a9c1ed6eee44979e7abf http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch5_alpha.deb Size/MD5 checksum: 1378160 512ca0853d71066040c22daae6ff0e3a amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch5_amd64.deb Size/MD5 checksum: 1224200 c43f474ed1a38e2b717463faf4a603a9 http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch5_amd64.deb Size/MD5 checksum: 536502 9bc2da44bcb81f7c1d5a3381bc02c950 http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch5_amd64.deb Size/MD5 checksum: 570646 7a5e8aa209ecee48bbc9daa5c5364788 arm architecture (ARM) http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch5_arm.deb Size/MD5 checksum: 506574 6a4be002eaaf4932161c03ef9a170e72 http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch5_arm.deb Size/MD5 checksum: 537184 d5d095c9771afaacfbd863f2f37700f6 http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch5_arm.deb Size/MD5 checksum: 1118568 c884c1632c4e20d9b6636806d2039b29 hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch5_hppa.deb Size/MD5 checksum: 561854 1911ecd7f8336deb46986f3f37fae039 http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch5_hppa.deb Size/MD5 checksum: 1297502 a965f31d08deb751b26ca9a7b467aa9c http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch5_hppa.deb Size/MD5 checksum: 600138 867931a360b0bfeea1f3e28dfb073bf7 i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch5_i386.deb Size/MD5 checksum: 514726 e2fe7ef8a944f84d59c4d13c2583f37f http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch5_i386.deb Size/MD5 checksum: 547040 41d4f84120825e06e41ff079dabd0429 http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch5_i386.deb Size/MD5 checksum: 1135076 3e11a2b0f46ce7452760264a478a07a2 ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch5_ia64.deb Size/MD5 checksum: 1702256 e292ef2a99bb7868fd131574b0dcb876 http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch5_ia64.deb Size/MD5 checksum: 737696 b3ee10e9ca9b771fb7f15ed508173628 http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch5_ia64.deb Size/MD5 checksum: 793994 888618682b965c75167249e9177aea29 mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch5_mipsel.deb Size/MD5 checksum: 558948 c42d2f897b76a5635d45bc196dbb1fdf http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch5_mipsel.deb Size/MD5 checksum: 1268494 800381d4b15c5857dabe79e37fd1003a http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch5_mipsel.deb Size/MD5 checksum: 595020 33ff0bc5c3755320bd209d4837742a1a powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch5_powerpc.deb Size/MD5 checksum: 1212206 dcef8ac28680d74ed0e3e2586cd3d056 http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch5_powerpc.deb Size/MD5 checksum: 569890 b549032c41f1a1f2de3a96a99a92b2e8 http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch5_powerpc.deb Size/MD5 checksum: 536100 1e073cad6b24f04f1d10e43c3c2b5c7f s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch5_s390.deb Size/MD5 checksum: 1290172 fc78f024c57fd97448a1cab449d97c26 http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch5_s390.deb Size/MD5 checksum: 595622 4f35eef9b7f47a5689f1a3bffb0b1496 http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch5_s390.deb Size/MD5 checksum: 559910 472231dbce114cf79838f7c34d0850b9 Debian GNU/Linux 5.0 alias lenny - -------------------------------- Debian (stable) - --------------- Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/d/dovecot/dovecot_1.0.15.orig.tar.gz Size/MD5 checksum: 1783347 aa39c11c18df6b95b64d4f04d793d77a http://security.debian.org/pool/updates/main/d/dovecot/dovecot_1.0.15-2.3+lenny1.dsc Size/MD5 checksum: 1614 d0b83408d8c8324fdfa03b80cdbed4f6 http://security.debian.org/pool/updates/main/d/dovecot/dovecot_1.0.15-2.3+lenny1.diff.gz Size/MD5 checksum: 216038 45614e66070551b80bcbd803113f22d6 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/d/dovecot/dovecot-dev_1.0.15-2.3+lenny1_alpha.deb Size/MD5 checksum: 389244 a5b09618e986ca9e9181ce1ae3ec693e http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.15-2.3+lenny1_alpha.deb Size/MD5 checksum: 669230 3e0622750be09c51dae2b0ffee7d015c http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.15-2.3+lenny1_alpha.deb Size/MD5 checksum: 2309838 6f608b22a263d8f5ef8768bbe7a728a6 http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.15-2.3+lenny1_alpha.deb Size/MD5 checksum: 709292 6c68631fa3541bc48ca897d98e498274 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/d/dovecot/dovecot-dev_1.0.15-2.3+lenny1_amd64.deb Size/MD5 checksum: 390826 7386cae0c224a81a3a69a4c59dc53b1b http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.15-2.3+lenny1_amd64.deb Size/MD5 checksum: 632604 4f8004c08a2d8c56907571b015f279d8 http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.15-2.3+lenny1_amd64.deb Size/MD5 checksum: 669682 3ffaccbe054991901b258c204a59bd07 http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.15-2.3+lenny1_amd64.deb Size/MD5 checksum: 2106030 bde9f3caac387c20b423d71c3213aaac arm architecture (ARM) http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.15-2.3+lenny1_arm.deb Size/MD5 checksum: 620406 34980793a3cf093446b18614880d7c4d http://security.debian.org/pool/updates/main/d/dovecot/dovecot-dev_1.0.15-2.3+lenny1_arm.deb Size/MD5 checksum: 390376 60ee2b17f10334253ea32654e741b006 http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.15-2.3+lenny1_arm.deb Size/MD5 checksum: 588296 12f73940ba5583e6c81a38a9d6663cdf http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.15-2.3+lenny1_arm.deb Size/MD5 checksum: 1901028 3c23a98d1f07817db4a314865243ae13 armel architecture (ARM EABI) http://security.debian.org/pool/updates/main/d/dovecot/dovecot-dev_1.0.15-2.3+lenny1_armel.deb Size/MD5 checksum: 391168 8049082b57c86d865d51679db193d5fa http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.15-2.3+lenny1_armel.deb Size/MD5 checksum: 626970 2bcd781a52cac6cf397b5df9e1e144b1 http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.15-2.3+lenny1_armel.deb Size/MD5 checksum: 594616 1515c12da34869de4f5616fe6143aee0 http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.15-2.3+lenny1_armel.deb Size/MD5 checksum: 1932436 63c7c48a798aeb72d11b622057eb6ad5 hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/d/dovecot/dovecot-dev_1.0.15-2.3+lenny1_hppa.deb Size/MD5 checksum: 390606 ab3bd158a5930daad61b9dffb3bb130e http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.15-2.3+lenny1_hppa.deb Size/MD5 checksum: 638882 e3ec95e636c33c400266c5419e18e864 http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.15-2.3+lenny1_hppa.deb Size/MD5 checksum: 677942 808cfe06b6b4325b9ea13008d35918b2 http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.15-2.3+lenny1_hppa.deb Size/MD5 checksum: 2162538 3f41711076b008bc16ee08e7e822f703 i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.15-2.3+lenny1_i386.deb Size/MD5 checksum: 1938596 0113ec4318618383c6945ad66ac457ab http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.15-2.3+lenny1_i386.deb Size/MD5 checksum: 602896 93b9ffb25946df4200203a236839d967 http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.15-2.3+lenny1_i386.deb Size/MD5 checksum: 636970 40f7a7785597f69f39991c35865c1df8 http://security.debian.org/pool/updates/main/d/dovecot/dovecot-dev_1.0.15-2.3+lenny1_i386.deb Size/MD5 checksum: 390674 615f9e862c4c2b14db2fbed7f3a0089f ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.15-2.3+lenny1_ia64.deb Size/MD5 checksum: 878572 21ea3f8af009b4c0668310a1d42ff6e8 http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.15-2.3+lenny1_ia64.deb Size/MD5 checksum: 2857622 5710f0fe4c677388e61268c1b6d28a9a http://security.debian.org/pool/updates/main/d/dovecot/dovecot-dev_1.0.15-2.3+lenny1_ia64.deb Size/MD5 checksum: 389246 afaa27855049264e8d1bc6272c619c68 http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.15-2.3+lenny1_ia64.deb Size/MD5 checksum: 818126 94b7b844dfb2d352901a0570dcc9446a mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/d/dovecot/dovecot-dev_1.0.15-2.3+lenny1_mips.deb Size/MD5 checksum: 389274 39038f291d9e447928d0ce4cc69547f8 http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.15-2.3+lenny1_mips.deb Size/MD5 checksum: 631574 6c011d890fb624ab2fb42f9d531c56c6 http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.15-2.3+lenny1_mips.deb Size/MD5 checksum: 2104730 a5c2b94943df80bb457afdb7ebdd1047 http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.15-2.3+lenny1_mips.deb Size/MD5 checksum: 668110 027bdd8d539ad64838e70d01b817ab9a mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/d/dovecot/dovecot-dev_1.0.15-2.3+lenny1_mipsel.deb Size/MD5 checksum: 389284 7393c2e406358c4ff44f1936e77289bc http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.15-2.3+lenny1_mipsel.deb Size/MD5 checksum: 666878 952824b8ef88116eecd9b6d8dc2eb7ab http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.15-2.3+lenny1_mipsel.deb Size/MD5 checksum: 2107826 868569a1a13d5150d052f3f85a0c5b4b http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.15-2.3+lenny1_mipsel.deb Size/MD5 checksum: 630902 26f8d04ed6cebb1cee2cdee0466e3828 powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.15-2.3+lenny1_powerpc.deb Size/MD5 checksum: 2116926 83a20a035135c86165e90512e1616e17 http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.15-2.3+lenny1_powerpc.deb Size/MD5 checksum: 633850 378165eda8f93d5db9a9750eb388a3d7 http://security.debian.org/pool/updates/main/d/dovecot/dovecot-dev_1.0.15-2.3+lenny1_powerpc.deb Size/MD5 checksum: 389308 5706cb949dce54ed6bde511050c808db http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.15-2.3+lenny1_powerpc.deb Size/MD5 checksum: 670056 5935a4928c82551b592a4ab7103d0305 sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/d/dovecot/dovecot-dev_1.0.15-2.3+lenny1_sparc.deb Size/MD5 checksum: 389286 d67b24f2a1ca1ae2dfa7aeed269ba1c5 http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.15-2.3+lenny1_sparc.deb Size/MD5 checksum: 595054 0ce7c504c0a218e95713084b6fbdd9d4 http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.15-2.3+lenny1_sparc.deb Size/MD5 checksum: 628466 5509951b4426e12912531c3f56e309ae http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.15-2.3+lenny1_sparc.deb Size/MD5 checksum: 1906138 8eda92ca5dfb4239544a288ebd8e8230 These files will probably be moved into the stable distribution on its next update. - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show ' and http://packages.debian.org/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAkq6TkYACgkQ62zWxYk/rQf9WwCgtQFfyzvxMG27iAjtHw2SY7cZ ouAAn2g8b0lXjAZGmQoiX0W9oXk4QsuE =lSZ6 -----END PGP SIGNATURE-----