Home
Reading
Searching
Subscribe
Sponsors
Statistics
Posting
Contact
Spam
Lists
Links
About
Hosting
Filtering
Features Download
Marketing
Archives
FAQ
Blog
 
Gmane
From: Pat Riehecky <riehecky-13hema8v3vg <at> public.gmane.org>
Subject: Security ERRATA Low: dovecot on SL6.x i386/x86_64
Newsgroups: gmane.linux.scientific.errata
Date: Monday 4th March 2013 19:09:42 UTC (over 3 years ago)
Synopsis:          Low: dovecot security and bug fix update
Issue Date:        2013-02-21
CVE Numbers:       CVE-2011-2166
                    CVE-2011-2167
                    CVE-2011-4318
--

Two flaws were found in the way some settings were enforced by the 
script-login
functionality of Dovecot. A remote, authenticated user could use these 
flaws to
bypass intended access restrictions or conduct a directory traversal 
attack by
leveraging login scripts. (CVE-2011-2166, CVE-2011-2167)

A flaw was found in the way Dovecot performed remote server identity
verification, when it was configured to proxy IMAP and POP3 connections to
remote hosts using TLS/SSL protocols. A remote attacker could use this 
flaw to
conduct man-in-the-middle attacks using an X.509 certificate issued by a
trusted Certificate Authority (for a different name). (CVE-2011-4318)

This update also fixes the following bug:

* When a new user first accessed their IMAP inbox, Dovecot was, under some
circumstances, unable to change the group ownership of the inbox 
directory in
the user's Maildir location to match that of the user's mail spool
(/var/mail/$USER). This correctly generated an "Internal error occurred"
message. However, with a subsequent attempt to access the inbox, Dovecot
saw
that the directory already existed and proceeded with its operation,
leaving
the directory with incorrectly set permissions. This update corrects the
underlying permissions setting error. When a new user now accesses their 
inbox
for the first time, and it is not possible to set group ownership, Dovecot
removes the created directory and generates an error message instead of 
keeping
the directory with incorrect group ownership.

After installing the updated packages, the dovecot service will be
restarted
automatically.
--

SL6
   x86_64
     dovecot-2.0.9-5.el6.i686.rpm
     dovecot-2.0.9-5.el6.x86_64.rpm
     dovecot-debuginfo-2.0.9-5.el6.i686.rpm
     dovecot-debuginfo-2.0.9-5.el6.x86_64.rpm
     dovecot-mysql-2.0.9-5.el6.x86_64.rpm
     dovecot-pgsql-2.0.9-5.el6.x86_64.rpm
     dovecot-pigeonhole-2.0.9-5.el6.x86_64.rpm
     dovecot-devel-2.0.9-5.el6.x86_64.rpm
   i386
     dovecot-2.0.9-5.el6.i686.rpm
     dovecot-debuginfo-2.0.9-5.el6.i686.rpm
     dovecot-mysql-2.0.9-5.el6.i686.rpm
     dovecot-pgsql-2.0.9-5.el6.i686.rpm
     dovecot-pigeonhole-2.0.9-5.el6.i686.rpm
     dovecot-devel-2.0.9-5.el6.i686.rpm

- Scientific Linux Development Team
 
CD: 7ms