close
Pourquoi s'enregistré ... Pour bénéficié de plein d'avantage, plus l'accès à des partis du site qui ne sont accessible qu'aux membres. L'inscription n'est pas une obligation.

       
Mot de passe oublié?    Identifiant oublié?    Créer un compte

Si toute fois vous avez envies de vous inscrire, donner une adresse e-mail valide, car il vous seras envoyer un mail de confirmation d'ouverture de compte. Merci.
Top Panel
Login
Top Panel

Pin-Up

Recherche Google

Publicité

[Security Announce] [ MDVSA-2008:232 ] dovecot PDF Imprimer Envoyer
(0 Votes)
Écrit par Administrator   
Jeudi, 20 Novembre 2008 10:21
_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2008:232
http://www.mandriva.com/security/
_______________________________________________________________________

Package : dovecot
Date : November 19, 2008
Affected: 2009.0
_______________________________________________________________________

Problem Description:

The ACL plugin in dovecot prior to version 1.1.4 treated negative access rights as though they were positive access rights, which allowed attackers to bypass intended access restrictions (CVE-2008-4577).

The ACL plugin in dovecot prior to version 1.1.6 allowed attackers to bypass intended access restrictions by using the 'k' right to create unauthorized 'parent/child/child' mailboxes (CVE-2008-4578).

In addition, two bugs were discovered in the dovecot package shipped with Mandriva Linux 2009.0. The default permissions on the dovecot.conf configuration file were too restrictive, which prevents the use of dovecot's 'deliver' command as a non-root user. Secondly, dovecot should not start until after ntpd, if ntpd is active, because if ntpd corrects the time backwards while dovecot is running, dovecot will quit automatically, with the log message 'Time just moved backwards by X seconds. This might cause a lot of problems, so I'll just kill myself now.' The update resolves both these problems. The default permissions on dovecot.conf now allow the 'deliver' command to read the file. Note that if you edited dovecot.conf at all prior to installing the update, the new permissions may not be applied.

If you find the 'deliver' command still does not work following the update, please run these commands as root:
  • chmod 0640 /etc/dovecot.conf
  • chown root:mail /etc/dovecot.conf
Dovecot's initialization script now configures it to start after the ntpd service, to ensure ntpd resetting the clock does not interfere with Dovecot operation.

This package corrects the above-noted bugs and security issues by upgrading to the latest dovecot 1.1.6, which also provides additional bug fixes.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4577
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4578
https://qa.mandriva.com/44926
_______________________________________________________________________
Updated Packages:

Mandriva Linux 2009.0:
437fcab249d5274b3101bb7c953c2a79 2009.0/i586/dovecot-1.1.6-0.1mdv2009.0.i586.rpm
0ca908249ab050c56e61dadfd0fb1c33 2009.0/i586/dovecot-devel-1.1.6-0.1mdv2009.0.i586.rpm
48b2d085ef9a6a1c1dfcb55f3af6090b 2009.0/i586/dovecot-plugins-gssapi-1.1.6-0.1mdv2009.0.i586.rpm
8698367ab382293be85e3e7fb65b38ca 2009.0/i586/dovecot-plugins-ldap-1.1.6-0.1mdv2009.0.i586.rpm
c2878a5f597b8a9f66605df32cf65a06 2009.0/SRPMS/dovecot-1.1.6-0.1mdv2009.0.src.rpm

Mandriva Linux 2009.0/X86_64:
1c4936b072f401ea2c94c6c7b3d6b427 2009.0/x86_64/dovecot-1.1.6-0.1mdv2009.0.x86_64.rpm
5d869999de273e36c8bda186fb2610a0 2009.0/x86_64/dovecot-devel-1.1.6-0.1mdv2009.0.x86_64.rpm
9bc71b93dce1b7995039e0cbf7623803 2009.0/x86_64/dovecot-plugins-gssapi-1.1.6-0.1mdv2009.0.x86_64.rpm
264aaf2cbec7ef2ea7071f14b6bf174a 2009.0/x86_64/dovecot-plugins-ldap-1.1.6-0.1mdv2009.0.x86_64.rpm
c2878a5f597b8a9f66605df32cf65a06 2009.0/SRPMS/dovecot-1.1.6-0.1mdv2009.0.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________
Submit to Delicious Submit to Facebook Submit to Google Bookmarks Submit to Technorati Submit to Twitter Submit to LinkedIn

 

Ajouter un Commentaire


Code de sécurité
Rafraîchir

maps.amung.us

www.geo-loc.com

Publicité

Browse the web faster with Firefox