USN-593-1: Dovecot vulnerabilities

26 March 2008

dovecot vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 7.10
  • Ubuntu 7.04
  • Ubuntu 6.10
  • Ubuntu 6.06 LTS

Software Description

  • dovecot

Details

It was discovered that the default configuration of dovecot could allow access to any email files with group “mail” without verifying that a user had valid rights. An attacker able to create symlinks in their mail directory could exploit this to read or delete another user’s email. (CVE-2008-1199)

By default, dovecot passed special characters to the underlying authentication systems. While Ubuntu releases of dovecot are not known to be vulnerable, the authentication routine was proactively improved to avoid potential future problems. (CVE-2008-1218)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 7.10
dovecot-common - 1:1.0.5-1ubuntu2.2
dovecot-imapd - 1:1.0.5-1ubuntu2.2
dovecot-pop3d - 1:1.0.5-1ubuntu2.2
Ubuntu 7.04
dovecot-common - 1.0.rc17-1ubuntu2.3
dovecot-imapd - 1.0.rc17-1ubuntu2.3
dovecot-pop3d - 1.0.rc17-1ubuntu2.3
Ubuntu 6.10
dovecot-common - 1.0.rc2-1ubuntu2.3
dovecot-imapd - 1.0.rc2-1ubuntu2.3
dovecot-pop3d - 1.0.rc2-1ubuntu2.3
Ubuntu 6.06 LTS
dovecot-common - 1.0.beta3-3ubuntu5.6
dovecot-imapd - 1.0.beta3-3ubuntu5.6
dovecot-pop3d - 1.0.beta3-3ubuntu5.6

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system upgrade, additional dovecot configuration changes are needed.

ATTENTION: Due to an unavoidable configuration update, the dovecot settings in /etc/dovecot/dovecot.conf need to be updated manually. During the update, a configuration file conflict will be shown. The default setting “mail_extra_groups = mail” should be changed to “mail_privileged_group = mail”. If your local configuration uses groups other than “mail”, you may need to use the new “mail_access_groups” setting as well.

References