LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

Kernel prepatch 3.9-rc6

LWN.net Weekly Edition for April 4, 2013

LWN.net Weekly Edition for March 28, 2013

A kernel change breaks GlusterFS

PyCon: Evangelizing Python

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Scientific Linux alert SL-dove-20130304 (dovecot)



From:
    	      Pat Riehecky <riehecky@fnal.gov> 


To:
    	      "SCIENTIFIC-LINUX-ERRATA@LISTSERV.FNAL.GOV"
	<SCIENTIFIC-LINUX-ERRATA@LISTSERV.FNAL.GOV> 


Subject:
    	      Security ERRATA Low: dovecot on SL6.x i386/x86_64 


Date:
    	      Mon, 4 Mar 2013 13:09:42 -0600


Message-ID:
    	      <5134F176.9030701@fnal.gov>


Archive-link:
    	      Article, Thread
              


Synopsis:          Low: dovecot security and bug fix update
Issue Date:        2013-02-21
CVE Numbers:       CVE-2011-2166
                    CVE-2011-2167
                    CVE-2011-4318
--

Two flaws were found in the way some settings were enforced by the 
script-login
functionality of Dovecot. A remote, authenticated user could use these 
flaws to
bypass intended access restrictions or conduct a directory traversal 
attack by
leveraging login scripts. (CVE-2011-2166, CVE-2011-2167)

A flaw was found in the way Dovecot performed remote server identity
verification, when it was configured to proxy IMAP and POP3 connections to
remote hosts using TLS/SSL protocols. A remote attacker could use this 
flaw to
conduct man-in-the-middle attacks using an X.509 certificate issued by a
trusted Certificate Authority (for a different name). (CVE-2011-4318)

This update also fixes the following bug:

* When a new user first accessed their IMAP inbox, Dovecot was, under some
circumstances, unable to change the group ownership of the inbox 
directory in
the user's Maildir location to match that of the user's mail spool
(/var/mail/$USER). This correctly generated an "Internal error occurred"
message. However, with a subsequent attempt to access the inbox, Dovecot saw
that the directory already existed and proceeded with its operation, leaving
the directory with incorrectly set permissions. This update corrects the
underlying permissions setting error. When a new user now accesses their 
inbox
for the first time, and it is not possible to set group ownership, Dovecot
removes the created directory and generates an error message instead of 
keeping
the directory with incorrect group ownership.

After installing the updated packages, the dovecot service will be restarted
automatically.
--

SL6
   x86_64
     dovecot-2.0.9-5.el6.i686.rpm
     dovecot-2.0.9-5.el6.x86_64.rpm
     dovecot-debuginfo-2.0.9-5.el6.i686.rpm
     dovecot-debuginfo-2.0.9-5.el6.x86_64.rpm
     dovecot-mysql-2.0.9-5.el6.x86_64.rpm
     dovecot-pgsql-2.0.9-5.el6.x86_64.rpm
     dovecot-pigeonhole-2.0.9-5.el6.x86_64.rpm
     dovecot-devel-2.0.9-5.el6.x86_64.rpm
   i386
     dovecot-2.0.9-5.el6.i686.rpm
     dovecot-debuginfo-2.0.9-5.el6.i686.rpm
     dovecot-mysql-2.0.9-5.el6.i686.rpm
     dovecot-pgsql-2.0.9-5.el6.i686.rpm
     dovecot-pigeonhole-2.0.9-5.el6.i686.rpm
     dovecot-devel-2.0.9-5.el6.i686.rpm

- Scientific Linux Development Team
(Log in to post comments)

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds