Bug#599521: marked as done ([dovecot] New Upstream version 1.2.15 fix two ACL bugs)

Fri, 08 Oct 2010 21:36:28 -0700 

Your message dated Sat, 09 Oct 2010 04:32:19 +0000
with message-id <[email protected]>
and subject line Bug#599521: fixed in dovecot 1:1.2.15-1
has caused the Debian Bug report #599521,
regarding [dovecot] New Upstream version 1.2.15 fix two ACL bugs
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
599521: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=599521
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: dovecot
Version: 1:1.2.13-1
Severity: grave
On Oct, 1 Timo released version 1.2.15 to correct two bugs in the ACL evaluation logic: 

        * acl: Fixed the logic of merging multiple ACL entries. Now it works as
          documented, while previously it could have done slightly different
          things depending on the order of the entries.

        * acl: Don't give admin rights to all owner mailboxes. This was
          originally done to make sure that mailbox owner couldn't accidentally
          remove their own admin rights. But this is already prevented by
          SETACL command, so it's not necessary. Also sysadmin may have
          intentionally removed some admin rights from some mailboxes
          (especially when using symlinked shared mailboxes).
I think this is a important security fix, because without it a user can gain access to other mailboxes or, worst, admin rights an shared mailboxes. It would be a Good Thing(TM) to have version 1.2.15 in Squeeze. 

You can find the release notes here:
http://www.dovecot.org/list/dovecot-news/2010-October/000175.html

and details on the ACL bug here:
http://www.dovecot.org/list/dovecot-news/2010-October/000177.html

Best regards.

             Paolo Miotto


-------------------------------------------
Paolo Miotto
Centro Servizi Informatici e Telematici
Università di Udine
-------------------------------------------


----------------------------------------------------------------------
SEMEL (SErvizio di Messaging ELettronico) - CSIT -Universita' di Udine

--- End Message ---
--- Begin Message --- 
Source: dovecot
Source-Version: 1:1.2.15-1

We believe that the bug you reported is fixed in the latest version of
dovecot, which is due to be installed in the Debian FTP archive:

dovecot-common_1.2.15-1_i386.deb
  to main/d/dovecot/dovecot-common_1.2.15-1_i386.deb
dovecot-dbg_1.2.15-1_i386.deb
  to main/d/dovecot/dovecot-dbg_1.2.15-1_i386.deb
dovecot-dev_1.2.15-1_i386.deb
  to main/d/dovecot/dovecot-dev_1.2.15-1_i386.deb
dovecot-imapd_1.2.15-1_i386.deb
  to main/d/dovecot/dovecot-imapd_1.2.15-1_i386.deb
dovecot-pop3d_1.2.15-1_i386.deb
  to main/d/dovecot/dovecot-pop3d_1.2.15-1_i386.deb
dovecot_1.2.15-1.debian.tar.gz
  to main/d/dovecot/dovecot_1.2.15-1.debian.tar.gz
dovecot_1.2.15-1.dsc
  to main/d/dovecot/dovecot_1.2.15-1.dsc
dovecot_1.2.15.orig.tar.gz
  to main/d/dovecot/dovecot_1.2.15.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jaldhar H. Vyas <[email protected]> (supplier of updated dovecot package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 08 Oct 2010 17:34:19 -0400
Source: dovecot
Binary: dovecot-common dovecot-dev dovecot-imapd dovecot-pop3d dovecot-dbg
Architecture: source i386
Version: 1:1.2.15-1
Distribution: unstable
Urgency: high
Maintainer: Dovecot Maintainers <[email protected]>
Changed-By: Jaldhar H. Vyas <[email protected]>
Description: 
 dovecot-common - secure mail server that supports mbox and maildir mailboxes
 dovecot-dbg - debug symbols for Dovecot
 dovecot-dev - header files for the dovecot mail server
 dovecot-imapd - secure IMAP server that supports mbox and maildir mailboxes
 dovecot-pop3d - secure POP3 server that supports mbox and maildir mailboxes
Closes: 570814 576455 587036 595671 597529 599521
Changes: 
 dovecot (1:1.2.15-1) unstable; urgency=high
 .
   [ Marco Nenciarini ]
   * New upstream release (Closes: #587036,#597529)
   * Updated policy version to 3.9.1.0 (no changes needed)
 .
   [ Jaldhar H. Vyas ]
   * [SECURITY] Fixes two bugs with acls which could have allowed a user to
     gain improper access or admin rights to shared mailboxes.
     (Closes: #599521)
   * Warn that the generated SSL certificate will expire in 365 days.  Thanks
     Phillip Weis.  (Closes: #576455)
   * Wherever the path to sendmail is given as /usr/lib/sendmail, change to
     /usr/sbin/sendmail.  (Closes: #570814,#595671)
Checksums-Sha1: 
 804ba2f98cdf2e63ddc87d5867db5f5ba9c9c245 1665 dovecot_1.2.15-1.dsc
 828a4bd8822c2d1c53ee56247201b96b827b04ee 2948856 dovecot_1.2.15.orig.tar.gz
 405b76d31271b28e33295485d70c079932532c58 1515554 dovecot_1.2.15-1.debian.tar.gz
 9c152bf663467a113eb5e1081bcd56dd59d6bcad 5111016 
dovecot-common_1.2.15-1_i386.deb
 59bb254cb528cbb8729e56cf3cae2a3812672ec8 661976 dovecot-dev_1.2.15-1_i386.deb
 9a6eb9b0b99b3c150458e7233259940d92ec82a2 1122482 
dovecot-imapd_1.2.15-1_i386.deb
 ff646d0490c988040f5d49cf0acbe3cb817d4d78 1026648 
dovecot-pop3d_1.2.15-1_i386.deb
 2d4c6bcb24c0460e81362bc39685ceb37867a69d 14979974 dovecot-dbg_1.2.15-1_i386.deb
Checksums-Sha256: 
 58eff56a8669d1e800a67bfd7d77997863895f5933a855bbc8688568c7a8aab9 1665 
dovecot_1.2.15-1.dsc
 927845ba0a3de1da2d0ecefc27e835dd23a413cdf05fd044442bffb5e901442f 2948856 
dovecot_1.2.15.orig.tar.gz
 555874c62a26444cceabe23d3de789330c88d25caf94331ae7f75111d9450a74 1515554 
dovecot_1.2.15-1.debian.tar.gz
 770cc4c2abac6c112f2d06c06efeb2cb0377efaa67b06c737c08da1b7fa3abd3 5111016 
dovecot-common_1.2.15-1_i386.deb
 3951bacbadd6e4792bb6d6c17b22e2c10a59aee7354c133bfc226bb20bc87d74 661976 
dovecot-dev_1.2.15-1_i386.deb
 49c4a2d739a965df38dad9b84a9086f984cd5f45abff8a69047c16b0a07845dc 1122482 
dovecot-imapd_1.2.15-1_i386.deb
 1489a2546add9cc1c233600cfac6e6b7bc7498a09e414a8fc04573800b6d506f 1026648 
dovecot-pop3d_1.2.15-1_i386.deb
 284a3f6c08612e213ce7852dc05f7830eb12f276cdbc762806889a21ffd2bdc3 14979974 
dovecot-dbg_1.2.15-1_i386.deb
Files: 
 af4631463ba3ef8638c99e3bd3f994b7 1665 mail optional dovecot_1.2.15-1.dsc
 15fe307fe85a87cb7a697655dbab29d0 2948856 mail optional 
dovecot_1.2.15.orig.tar.gz
 640f1d6159a1ea2fde804fbc0cbee6aa 1515554 mail optional 
dovecot_1.2.15-1.debian.tar.gz
 88ed3ba3dbbce9f5b26b93265426bceb 5111016 mail optional 
dovecot-common_1.2.15-1_i386.deb
 5b145a627a8b78707ceaf0cde6b7c067 661976 mail optional 
dovecot-dev_1.2.15-1_i386.deb
 60743862e56da8de6d24a15af2175448 1122482 mail optional 
dovecot-imapd_1.2.15-1_i386.deb
 566ff585fd65183262efae7ccec969c6 1026648 mail optional 
dovecot-pop3d_1.2.15-1_i386.deb
 96659eddeabed37abede5fa353cec825 14979974 debug extra 
dovecot-dbg_1.2.15-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkyvm+EACgkQ2kYOR+5txmoGjQCcC5E5SDk4hSrjmT4n36S9J3dg
3YMAoJmmIcInZhnMQGo+2FPToxCB4X6n
=o80k
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to