USN-1059-1: Dovecot vulnerabilities

7 February 2011

dovecot vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 10.10
  • Ubuntu 10.04 LTS

Summary

Software Description

  • dovecot

Details

It was discovered that the ACL plugin in Dovecot would incorrectly propagate ACLs to new mailboxes. A remote authenticated user could possibly read new mailboxes that were created with the wrong ACL. (CVE-2010-3304)

It was discovered that the ACL plugin in Dovecot would incorrectly merge ACLs in certain circumstances. A remote authenticated user could possibly bypass intended access restrictions and gain access to mailboxes. (CVE-2010-3706, CVE-2010-3707)

It was discovered that the ACL plugin in Dovecot would incorrectly grant the admin permission to owners of certain mailboxes. A remote authenticated user could possibly bypass intended access restrictions and gain access to mailboxes. (CVE-2010-3779)

It was discovered that Dovecot incorrecly handled the simultaneous disconnect of a large number of sessions. A remote authenticated user could use this flaw to cause Dovecot to crash, resulting in a denial of service. (CVE-2010-3780)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 10.10
dovecot-common - 1:1.2.12-1ubuntu8.1
Ubuntu 10.04 LTS
dovecot-common - 1:1.2.9-1ubuntu6.3

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References