Package: dovecot-common Version: 1:1.0.15-2.2 Severity: grave Tags: security Justification: user security hole
Stephan Bosch has reported¹ a security hole in ManageSieve implementation for Dovecot. "… clever virtual users that know the directory structure of the server can read and edit script files of other virtual users with the same system uid…" The security patch for Dovecot 1.0.15 is available at: http://www.rename-it.nl/dovecot/1.0/dovecot-1.0.15-managesieve-v9.3-security.patch Regards, Pascal 1 = http://dovecot.org/list/dovecot/2008-November/035259.html -- System Information: Debian Release: lenny/sid APT prefers testing APT policy: (500, 'testing'), (50, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 2.6.26-1-amd64 (SMP w/4 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages dovecot-common depends on: ii adduser 3.110 add and remove users and groups ii libc6 2.7-15 GNU C Library: Shared libraries ii libcomerr2 1.41.3-1 common error description library ii libkrb53 1.6.dfsg.4~beta1-4 MIT Kerberos runtime libraries ii libldap-2.4-2 2.4.11-1 OpenLDAP libraries ii libmysqlclient15off 5.0.51a-17 MySQL database client library ii libpam-runtime 1.0.1-4 Runtime support for the PAM librar ii libpam0g 1.0.1-4+b1 Pluggable Authentication Modules l ii libpq5 8.3.5-1 PostgreSQL C client library ii libsqlite3-0 3.5.9-5 SQLite 3 shared library ii libssl0.9.8 0.9.8g-14 SSL shared libraries ii openssl 0.9.8g-14 Secure Socket Layer (SSL) binary a ii ucf 3.0010 Update Configuration File: preserv ii zlib1g 1:1.2.3.3.dfsg-12 compression library - runtime dovecot-common recommends no packages. dovecot-common suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]