>Number: 128698 >Category: ports >Synopsis: [vuxml] new entry for Dovecot 1.1.4-1.1.5 >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sat Nov 08 14:10:01 UTC 2008 >Closed-Date: >Last-Modified: >Originator: Eygene Ryabinkin >Release: FreeBSD 7.1-PRERELEASE amd64 >Organization: Code Labs >Environment:
Not applicable. >Description: Citing from http://www.dovecot.org/list/dovecot-news/2008-October/000089.html ----- The invalid message address parsing bug is pretty important since it allows a remote user to send broken mail headers and prevent the recipient from accessing the mailbox afterwards, because the process will always just crash trying to parse the header. This is assuming that the IMAP client uses FETCH ENVELOPE command, not all do. Note that it doesn't affect versions older than v1.1.4. ----- Currently, FreeBSD's Dovecot from ports is build from the 1.1.3 release and I doubt that it will be upgraded to something <= 1.1.6, since 1.1.6 is out. But who knows. >How-To-Repeat: Look at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4907 and references therein. >Fix: Possibly, the new VuXML entry can be added: --- dovecot-08.11.2008.xml begins here --- <vuln vid=""> <topic>dovecot -- invalid message address parsing bug</topic> <affects> <package> <name>dovecot</name> <name>dovecot-devel</name> <range><ge>1.1.4</ge><lt>1.1.6</lt></range> </package> </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml";> <p>Dovecot reports:</p> <blockquote cite="http://www.dovecot.org/list/dovecot-news/2008-October/000089.html";> <p> The invalid message address parsing bug is pretty important since it allows a remote user to send broken mail headers and prevent the recipient from accessing the mailbox afterwards, because the process will always just crash trying to parse the header. This is assuming that the IMAP client uses FETCH ENVELOPE command, not all do. Note that it doesn't affect versions older than v1.1.4.</p> </blockquote> </body> </description> <references> <cvename>CVE-2008-4907</cvename> <url>http://www.dovecot.org/list/dovecot-news/2008-October/000089.html</url> <url>http://secunia.com/advisories/32479/</url> <url>http://xforce.iss.net/xforce/xfdb/46227/</url> <url>http://www.securityfocus.com/bid/31997/</url> </references> <dates> <discovery>2008-10-30</discovery> <entry>2008-11-08</entry> </dates> </vuln> --- dovecot-08.11.2008.xml ends here --- As I said, I greatly doubt that official FreeBSD ports will ever have these versions of Dovecot, but people can update their ports to receive the new Dovecot versions, so there can be some reasons to add it. The only PR that contains Dovecot is ports/128469 and it upgrades the port to the "safe" version 1.1.6. >Release-Note: >Audit-Trail: >Unformatted: _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "[EMAIL PROTECTED]"
