-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2008-2464 2008-03-13 05:56:06 --------------------------------------------------------------------------------
Name : dovecot Product : Fedora 8 Version : 1.0.13 Release : 6.fc8 URL : http://www.dovecot.org/ Summary : Dovecot Secure imap server Description : Dovecot is an IMAP server for Linux/UNIX-like systems, written with security primarily in mind. It also contains a small POP3 server. It supports mail in either of maildir or mbox formats. The SQL drivers and authentication plugins are in their subpackages. -------------------------------------------------------------------------------- Update Information: This update upgrades dovecot from version 1.0.10 to 1.0.13. Besides bug fixes, two security issues were fixed upstream in version 1.0.11 and 1.0.13. CVE-2008-1199 If Dovecot was configured with mail_extra_groups = mail, users having shell access to IMAP server could use this flaw to read, modify or delete mails of other users stored in inbox files in /var/mail. /var/mail directory is mail-group writable and user inbox files are by default created by useradd with permission 660, <user>:mail. No mail_extra_groups is set by default, hence default Fedora configuration was not affected by this problem. If your configuration sets mail_extra_groups, see new options mail_privileged_group and mail_access_groups introduced in Dovecot 1.0.11. (mail_extra_groups is still accepted, but is deprecated now) CVE-2008-1218 On Dovecot versions 1.0.11 and newer, it was possible to gain password-less login via passwords with tab characters, which were not filtered properly. Dovecot versions in Fedora were not affected by this unauthorized login flaw, but only by a related minor memory leak in dovecot-auth worker process. See referenced bugzilla for further details about this flaw. -------------------------------------------------------------------------------- ChangeLog: * Sun Mar 9 2008 Tomas Janousek <[EMAIL PROTECTED]> - 1:1.0.13-6 - update to latest upstream stable (1.0.13) * Mon Jan 7 2008 Tomas Janousek <[EMAIL PROTECTED]> - 1:1.0.10-4 - update to latest upstream stable (1.0.10) * Wed Dec 5 2007 Jesse Keating <[EMAIL PROTECTED]> - 1:1.0.7-3 - Bump for deps * Mon Nov 5 2007 Tomas Janousek <[EMAIL PROTECTED]> - 1:1.0.7-2 - update to latest upstream stable (1.0.7) - added the winbind patch (#286351) -------------------------------------------------------------------------------- References: [ 1 ] Bug #436927 - CVE-2008-1199 dovecot: insecure mail_extra_groups option https://bugzilla.redhat.com/show_bug.cgi?id=436927 [ 2 ] Bug #436928 - CVE-2008-1218 dovecot: unauthorized login https://bugzilla.redhat.com/show_bug.cgi?id=436928 -------------------------------------------------------------------------------- This update can be installed with the "yum" update program. Use su -c 'yum update dovecot' at the command line. For more information, refer to "Managing Software with yum", available at http://docs.fedoraproject.org/yum/. All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at http://fedoraproject.org/keys -------------------------------------------------------------------------------- _______________________________________________ Fedora-package-announce mailing list Fedora-package-announce@redhat.com http://www.redhat.com/mailman/listinfo/fedora-package-announce