Привет!
В devel:/incoming/Sisyphus направлен dovecot-1.0-alt8.rc29 с
исправлениями проблемы с безопасностью в zlib plugin'е. Всем кто
пользуется этим плагином, рекомендуется обновляться.
---
Сергей Иванов
-------- Original Message --------
Subject: [Dovecot] Security hole #3: zlib plugin allows opening any
gziped mboxes
Date: Fri, 30 Mar 2007 17:46:29 +0300
From: Timo Sirainen <[EMAIL PROTECTED]>
Reply-To: Dovecot Mailing List <[email protected]>
To: [EMAIL PROTECTED]
CC: [email protected]
zlib plugin allows opening gzipped mboxes as read-only mailboxes.
However when using it, the mailbox name checks are bypassed so it's
possible to open for example "../otheruser/somefile.gz". Only valid
gzipped mbox files can be opened, and only if their name ends with
".gz".
You can fix this by upgrading to v1.0.rc29 (available soon) or with this
patch: http://dovecot.org/list/dovecot-cvs/2007-March/008488.html
I don't think this matters much though. zlib plugin is rarely used, and
those who do use it are probably using Dovecot with systems users
(per-user UIDs), so the imap process wouldn't have access to other
users' mbox files anyway.
I found this problem when I was cleaning up the code in CVS HEAD.
_______________________________________________
Sysadmins mailing list
[email protected]
https://lists.altlinux.org/mailman/listinfo/sysadmins
