-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2008-2475 2008-03-13 05:56:54 --------------------------------------------------------------------------------
Name : dovecot Product : Fedora 7 Version : 1.0.13 Release : 18.fc7 URL : http://www.dovecot.org/ Summary : Dovecot Secure imap server Description : Dovecot is an IMAP server for Linux/UNIX-like systems, written with security primarily in mind. It also contains a small POP3 server. It supports mail in either of maildir or mbox formats. -------------------------------------------------------------------------------- Update Information: This update upgrades dovecot from version 1.0.10 to 1.0.13. Besides bug fixes, two security issues were fixed upstream in version 1.0.11 and 1.0.13. CVE-2008-1199 If Dovecot was configured with mail_extra_groups = mail, users having shell access to IMAP server could use this flaw to read, modify or delete mails of other users stored in inbox files in /var/mail. /var/mail directory is mail-group writable and user inbox files are by default created by useradd with permission 660, <user>:mail. No mail_extra_groups is set by default, hence default Fedora configuration was not affected by this problem. If your configuration sets mail_extra_groups, see new options mail_privileged_group and mail_access_groups introduced in Dovecot 1.0.11. (mail_extra_groups is still accepted, but is deprecated now) CVE-2008-1218 On Dovecot versions 1.0.11 and newer, it was possible to gain password-less login via passwords with tab characters, which were not filtered properly. Dovecot versions in Fedora were not affected by this unauthorized login flaw, but only by a related minor memory leak in dovecot-auth worker process. See referenced bugzilla for further details about this flaw. -------------------------------------------------------------------------------- ChangeLog: * Sun Mar 9 2008 Tomas Janousek <[EMAIL PROTECTED]> - 1.0.13-18 - update to latest upstream stable (1.0.13) * Mon Jan 7 2008 Tomas Janousek <[EMAIL PROTECTED]> - 1.0.10-17 - update to latest upstream stable (1.0.10) * Mon Nov 5 2007 Tomas Janousek <[EMAIL PROTECTED]> - 1.0.7-16 - update to latest upstream stable (1.0.7) - added the winbind patch (#286351) * Mon Sep 24 2007 Tomas Janousek <[EMAIL PROTECTED]> - 1.0.5-15 - update to latest upstream (1.0.5) * Mon Aug 6 2007 Tomas Janousek <[EMAIL PROTECTED]> - 1.0.3-14 - update to latest upstream (1.0.3 and sieve 1.0.2) - added the quota-warning patch * Sun Jul 15 2007 Tomas Janousek <[EMAIL PROTECTED]> - 1.0.2-13 - update to latest upstream * Mon Jun 18 2007 Tomas Janousek <[EMAIL PROTECTED]> - 1.0.1-12 - update to latest upstream * Sat Apr 14 2007 Tomas Janousek <[EMAIL PROTECTED]> - 1.0.0-11.1 - dovecot-1.0.beta2-pam-tty.patch is no longer needed -------------------------------------------------------------------------------- References: [ 1 ] Bug #436927 - CVE-2008-1199 dovecot: insecure mail_extra_groups option https://bugzilla.redhat.com/show_bug.cgi?id=436927 [ 2 ] Bug #436928 - CVE-2008-1218 dovecot: unauthorized login https://bugzilla.redhat.com/show_bug.cgi?id=436928 -------------------------------------------------------------------------------- This update can be installed with the "yum" update program. Use su -c 'yum update dovecot' at the command line. For more information, refer to "Managing Software with yum", available at http://docs.fedoraproject.org/yum/. All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at http://fedoraproject.org/keys -------------------------------------------------------------------------------- _______________________________________________ Fedora-package-announce mailing list Fedora-package-announce@redhat.com http://www.redhat.com/mailman/listinfo/fedora-package-announce