dovecot-2.0.9-5.AXS4
エラータID: AXSA:2013-272:01
リリース日:
2013/03/27 Wednesday - 13:05
題名:
dovecot-2.0.9-5.AXS4
影響のあるチャネル:
Asianux Server 4 for x86_64
Asianux Server 4 for x86
Severity:
High
Description:
以下項目について対処しました。
[Security Fix]
- Dovecot の script-login はユーザとグループの設定に従っておらず,スクリプトを使用することにより,リモートの認証された攻撃者がアクセス制限を迂回する脆弱性があります。(CVE-2011-2166)
- Dovecot の script-login は chroot の設定に従っておらず,スクリプトを使用することにより,リモートの認証されたユーザが ディレクトリトラバーサル攻撃を行う脆弱性があります。(CVE-2011-2167)
- ssl あるいは starttls が有効な場合,ホスト名がプロキシの宛先を定義するのに使用されている場合,サーバのホスト名が X.509 証明書のサブジェクトのコモンネーム (CN) と一致しているかを Dovecot が検証しておらず,異なったホスト名の妥当な証明書によって,中間者攻撃を行う攻撃者が SSL サーバになりすます脆弱性があります。(CVE-2011-4318)
一部CVEの翻訳文はJVNからの引用になります。
http://jvndb.jvn.jp/
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2011-2166
script-login in Dovecot 2.0.x before 2.0.13 does not follow the user and group configuration settings, which might allow remote authenticated users to bypass intended access restrictions by leveraging a script.
script-login in Dovecot 2.0.x before 2.0.13 does not follow the user and group configuration settings, which might allow remote authenticated users to bypass intended access restrictions by leveraging a script.
CVE-2011-2167
script-login in Dovecot 2.0.x before 2.0.13 does not follow the chroot configuration setting, which might allow remote authenticated users to conduct directory traversal attacks by leveraging a script.
script-login in Dovecot 2.0.x before 2.0.13 does not follow the chroot configuration setting, which might allow remote authenticated users to conduct directory traversal attacks by leveraging a script.
CVE-2011-4318
Dovecot 2.0.x before 2.0.16, when ssl or starttls is enabled and hostname is used to define the proxy destination, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a valid certificate for a different hostname.
Dovecot 2.0.x before 2.0.16, when ssl or starttls is enabled and hostname is used to define the proxy destination, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a valid certificate for a different hostname.
追加情報:
N/A
ダウンロード:
SRPMS
- dovecot-2.0.9-5.AXS4.src.rpm
MD5: 74622e3c3fd345100f93dc04d93ed59b
SHA-256: 6568354c348f98dc9a8ed1b88426cfa91539cbfbfc62b342e62e092256959e3e
Size: 4.24 MB
Asianux Server 4 for x86
- dovecot-2.0.9-5.AXS4.i686.rpm
MD5: 2cc154982b25a9e74fb82bd9716865ad
SHA-256: ba9fef7297b50e1b2b1b2f3a9eb69ff4f987ea9cac6475b41a67398765d2e9b5
Size: 1.93 MB - dovecot-mysql-2.0.9-5.AXS4.i686.rpm
MD5: 658e3698dea4b458ad6badd1063a713b
SHA-256: a12c69c8347928fd3c4d545dec8a2583af3764e89eb48461c340a9f650935b80
Size: 37.39 kB - dovecot-pgsql-2.0.9-5.AXS4.i686.rpm
MD5: a91cbd1badcbaae7bbec6340613fc500
SHA-256: ef769e649f2e4dd7218cb112ac07cb8f93f39b022858d51fccd7cce6e6d0503d
Size: 39.74 kB - dovecot-pigeonhole-2.0.9-5.AXS4.i686.rpm
MD5: 5b0573ad6b4586ece2591e41612f9d2e
SHA-256: 9c220d4bbe87f04df910e4c8acfd79b95ed737ac0adc7300caf5a1558c1da049
Size: 97.08 kB
Asianux Server 4 for x86_64
- dovecot-2.0.9-5.AXS4.x86_64.rpm
MD5: 995607af10b5ebc427714ef1c4803b67
SHA-256: c15d6940fbe6b53ea261bcce546f24b0e74468c5e471f9cee95315d5124450a7
Size: 1.90 MB - dovecot-mysql-2.0.9-5.AXS4.x86_64.rpm
MD5: 36d9fe400db161fd148c8977c27e7bd9
SHA-256: f801014562677dad704ebabd3ea61b37bc39b211ec0792cc3728e3971ca9a9be
Size: 37.04 kB - dovecot-pgsql-2.0.9-5.AXS4.x86_64.rpm
MD5: a0815397e2409f3858e4e6b70b37260c
SHA-256: a8c545c607ac30d8fbec1065afb79997087d2c03e63e124a869f4152e9fdd6b8
Size: 39.42 kB - dovecot-pigeonhole-2.0.9-5.AXS4.x86_64.rpm
MD5: 7b2a851bde9eb6adc193d7e598a953f2
SHA-256: 493ff1bbad74edf998f7a9bdb655bf831fecfaa68ef217987241f42c720cac31
Size: 97.05 kB - dovecot-2.0.9-5.AXS4.i686.rpm
MD5: 2cc154982b25a9e74fb82bd9716865ad
SHA-256: ba9fef7297b50e1b2b1b2f3a9eb69ff4f987ea9cac6475b41a67398765d2e9b5
Size: 1.93 MB