*** This bug is a security vulnerability *** Public security bug reported:
Binary package hint: dovecot References: DSA-1516-1 (http://www.debian.org/security/2008/dsa-1516) Quoting: "Prior to this update, the default configuration for Dovecot used by Debian runs the server daemons with group mail privileges. This means that users with write access to their mail directory by other means (for example, through an SSH login) could read mailboxes owned by other users for which they do not have direct write access (CVE-2008-1199). In addition, an internal interpretation conflict in password handling has been addressed proactively, even though it is not known to be exploitable (CVE-2008-1218). Note that applying this update requires manual action: The configuration setting "mail_extra_groups = mail" has been replaced with "mail_privileged_group = mail". The update will show a configuration file conflict in /etc/dovecot/dovecot.conf. It is recommended that you keep the currently installed configuration file, and change the affected line. For your reference, the sample configuration (without your local changes) will have been written to /etc/dovecot/dovecot.conf.dpkg-new. If your current configuration uses mail_extra_groups with a value different from "mail", you may have to resort to the mail_access_groups configuration directive." ** Affects: dovecot (Ubuntu) Importance: Undecided Status: New ** Affects: dovecot (Debian) Importance: Unknown Status: Unknown ** Visibility changed to: Public ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2008-1199 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2008-1218 ** Bug watch added: Debian Bug tracker #469457 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=469457 ** Also affects: dovecot (Debian) via http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=469457 Importance: Unknown Status: Unknown -- [dovecot] [CVE-2008-1199, CVE-2008-1218] privilege escalation https://bugs.launchpad.net/bugs/203449 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs