dovecot-1.0.7-2.1AXS3

エラータID: AXSA:2008-76:01

Release date: 
Thursday, August 14, 2008 - 20:51
Subject: 
dovecot-1.0.7-2.1AXS3
Affected Channels: 
Asianux Server 3 for x86
Asianux Server 3 for x86_64
Asianux Server 3 for ppc
Asianux Server 3 for ia64
Severity: 
High
Description: 

Dovecot is an IMAP server for Linux/UNIX-like systems, written with security
primarily in mind. It also contains a small POP3 server. It supports mail
in either of maildir or mbox formats.
CVE-2007-2231: Directory traversal vulnerability in index/mbox/mbox-storage.c in Dovecot before 1.0.rc29, when using the zlib plugin, allows remote attackers to read arbitrary gzipped (.gz) mailboxes (mbox files) via a .. (dot dot) sequence in the mailbox name.
CVE-2007-4211:The ACL plugin in Dovecot before 1.0.3 allows remote authenticated users with the insert right to save certain flags via a (1) COPY or (2) APPEND command.
CVE-2007-6598: Dovecot before 1.0.10, with certain configuration options including use of %variables, does not properly maintain the LDAP+auth cache, which might allow remote authenticated users to login as a different user who has the same password.
CVE-2008-1199: Dovecot before 1.0.11, when configured to use mail_extra_groups to allow Dovecot to create dotlocks in /var/mail, might allow local users to read sensitive mail files for other users, or modify files or directories that are writable by group, via a symlink attack.

Solution: 

Update packages

CVEs: 
CVE-2007-2231
Directory traversal vulnerability in index/mbox/mbox-storage.c in Dovecot before 1.0.rc29, when using the zlib plugin, allows remote attackers to read arbitrary gzipped (.gz) mailboxes (mbox files) via a .. (dot dot) sequence in the mailbox name.
CVE-2007-4211
The ACL plugin in Dovecot before 1.0.3 allows remote authenticated users with the insert right to save certain flags via a (1) COPY or (2) APPEND command.
CVE-2007-6598
Dovecot before 1.0.10, with certain configuration options including use of %variables, does not properly maintain the LDAP+auth cache, which might allow remote authenticated users to login as a different user who has the same password.
CVE-2008-1199
Dovecot before 1.0.11, when configured to use mail_extra_groups to allow Dovecot to create dotlocks in /var/mail, might allow local users to read sensitive mail files for other users, or modify files or directories that are writable by group, via a symlink attack.


Additional Info: 

N/A

Download: 

Asianux Server 3 for x86
  1. dovecot-1.0.7-2.1AXS3.i386.rpm
    MD5: 7fe059afbeb2148281de70a016e17b40
    SHA-256: 403170727667c9f42408ee83c64d15dd68bfdf4e62bf46b2266a9d6867a95c81
    Size: 1.66 MB

Asianux Server 3 for x86_64
  1. dovecot-1.0.7-2.1AXS3.x86_64.rpm
    MD5: c1a6ed4834b63f996acb0fe2e862e783
    SHA-256: f8940b2826f71669619e137765ab46a3220e6b35ba7fd4b776d6298f31ac1542
    Size: 1.67 MB