Pardus alert 2011-81 (dovecot)

From:
    	     
 
Meltem Parmaksız <meltem@pardus.org.tr> 
To:
    	     
 
pardus-security@pardus.org.tr 
Subject:
    	     
 
[Pardus-security] [PLSA 2011-81] Dovecot: man-in-the-middle attack 
Date:
    	     
 
Tue, 21 Jun 2011 16:06:02 +0300
Message-ID:
    	     
 
<201106211606.02702.meltem@pardus.org.tr>

------------------------------------------------------------------------
Pardus Linux Security Advisory 2011-81            security@pardus.org.tr
------------------------------------------------------------------------
      Date: 2011-06-03
  Severity: 4
      Type: Remote
------------------------------------------------------------------------

Summary
=======

A vulnerability has been  found  in  Dovecot,  which  can  be  used  by 
man-in-the-middle attackers to spoof arbitrary SSL servers. 


Description
===========

CVE-2011-1094: 

kio/kio/tcpslavebase.cpp in KDE KSSL in kdelibs before 4.6.1  does  not 
properly verify that the server hostname matches the domain name of the 
subject  of an  X.509  certificate,  which  allows   man-in-the-middle  
attackers to spoof arbitrary SSL servers via a certificate issued by  a 
legitimate Certification Authority  for  an  IP  address,  a  different 
vulnerability than CVE-2009-2702. 



Affected packages:

  Pardus 2009:
    dovecot, all before 1.1.18-23-4


Resolution
==========

There are update(s) for dovecot. You can update them via Package Manager
or with a single command from console: 

    pisi up dovecot

References
==========

  * http://bugs.pardus.org.tr/show_bug.cgi?id=18171

------------------------------------------------------------------------
_______________________________________________
Pardus-Security mailing list
Pardus-Security@pardus.org.tr
http://liste.pardus.org.tr/mailman/listinfo/pardus-security