Package: dovecot-common
Version: 1:1.0.15-2.2
Severity: grave
Tags: security
Justification: user security hole
Stephan Bosch has reported¹ a security hole in ManageSieve implementation for
Dovecot.
"… clever virtual users that know the directory structure of the server can
read and edit script files of other virtual users with the same system uid…"
The security patch for Dovecot 1.0.15 is available at:
http://www.rename-it.nl/dovecot/1.0/dovecot-1.0.15-managesieve-v9.3-security.patch
Regards,
Pascal
1 = http://dovecot.org/list/dovecot/2008-November/035259.html
-- System Information:
Debian Release: lenny/sid
APT prefers testing
APT policy: (500, 'testing'), (50, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.26-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages dovecot-common depends on:
ii adduser 3.110 add and remove users and groups
ii libc6 2.7-15 GNU C Library: Shared libraries
ii libcomerr2 1.41.3-1 common error description library
ii libkrb53 1.6.dfsg.4~beta1-4 MIT Kerberos runtime libraries
ii libldap-2.4-2 2.4.11-1 OpenLDAP libraries
ii libmysqlclient15off 5.0.51a-17 MySQL database client library
ii libpam-runtime 1.0.1-4 Runtime support for the PAM librar
ii libpam0g 1.0.1-4+b1 Pluggable Authentication Modules l
ii libpq5 8.3.5-1 PostgreSQL C client library
ii libsqlite3-0 3.5.9-5 SQLite 3 shared library
ii libssl0.9.8 0.9.8g-14 SSL shared libraries
ii openssl 0.9.8g-14 Secure Socket Layer (SSL) binary a
ii ucf 3.0010 Update Configuration File: preserv
ii zlib1g 1:1.2.3.3.dfsg-12 compression library - runtime
dovecot-common recommends no packages.
dovecot-common suggests no packages.
-- no debconf information
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
