Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:25041
HistoryNov 02, 2010 - 12:00 a.m.

[ MDVSA-2010:217 ] dovecot

2010-11-0200:00:00
vulners.com
25
JSON

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Mandriva Linux Security Advisory MDVSA-2010:217
http://www.mandriva.com/security/

Package : dovecot
Date : October 30, 2010
Affected: 2010.0, 2010.1

Problem Description:

Multiple vulnerabilities was discovered and corrected in dovecot:

Dovecot 1.2.x before 1.2.15 and 2.0.x before 2.0.beta2 grants the admin
permission to the owner of each mailbox in a non-public namespace,
which might allow remote authenticated users to bypass intended access
restrictions by changing the ACL of a mailbox, as demonstrated by a
symlinked shared mailbox (CVE-2010-3779).

Dovecot 1.2.x before 1.2.15 allows remote authenticated users to
cause a denial of service (master process outage) by simultaneously
disconnecting many (1) IMAP or (2) POP3 sessions (CVE-2010-3780).

The ACL plugin in Dovecot 1.2.x before 1.2.13 propagates INBOX ACLs to
newly created mailboxes in certain configurations, which might allow
remote attackers to read mailboxes that have unintended weak ACLs
(CVE-2010-3304).

plugins/acl/acl-backend-vfile.c in Dovecot 1.2.x before 1.2.15
and 2.0.x before 2.0.5 interprets an ACL entry as a directive to
add to the permissions granted by another ACL entry, instead of a
directive to replace the permissions granted by another ACL entry,
in certain circumstances involving the private namespace of a user,
which allows remote authenticated users to bypass intended access
restrictions via a request to read or modify a mailbox (CVE-2010-3706).

plugins/acl/acl-backend-vfile.c in Dovecot 1.2.x before 1.2.15 and
2.0.x before 2.0.5 interprets an ACL entry as a directive to add to
the permissions granted by another ACL entry, instead of a directive
to replace the permissions granted by another ACL entry, in certain
circumstances involving more specific entries that occur after less
specific entries, which allows remote authenticated users to bypass
intended access restrictions via a request to read or modify a mailbox
(CVE-2010-3707).

This advisory provides dovecot 1.2.15 which is not vulnerable to
these issues

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3779
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3780
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3304
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3706
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3707

Updated Packages:

Mandriva Linux 2010.0:
1df58b06a8f532b9f3b53e3e5c38b95a
2010.0/i586/dovecot-1.2.15-0.1mdv2010.0.i586.rpm
b50eb47d4798f4e180be2838612c1922
2010.0/i586/dovecot-devel-1.2.15-0.1mdv2010.0.i586.rpm
bbf80f23b7a01bf614a6d3938fb9294f
2010.0/i586/dovecot-plugins-gssapi-1.2.15-0.1mdv2010.0.i586.rpm
d292ce098defe8ee5ac0a8b77d6433b7
2010.0/i586/dovecot-plugins-ldap-1.2.15-0.1mdv2010.0.i586.rpm
07b65d7e5015fe1d1d49e2bb51b8f10f
2010.0/i586/dovecot-plugins-managesieve-1.2.15-0.1mdv2010.0.i586.rpm
018407c89d2adcbd1e4cc4d8b548c03f
2010.0/i586/dovecot-plugins-mysql-1.2.15-0.1mdv2010.0.i586.rpm
5acb1e87956a7227197b35276de8234e
2010.0/i586/dovecot-plugins-pgsql-1.2.15-0.1mdv2010.0.i586.rpm
2af2c1a5c942176dca6679b0d35cfc97
2010.0/i586/dovecot-plugins-sieve-1.2.15-0.1mdv2010.0.i586.rpm
3311b70cb438d6870175649f1e788d57
2010.0/i586/dovecot-plugins-sqlite-1.2.15-0.1mdv2010.0.i586.rpm
7cdeb278f84d3b76dda11c3c553a393e
2010.0/SRPMS/dovecot-1.2.15-0.1mdv2010.0.src.rpm

Mandriva Linux 2010.0/X86_64:
3c2a94c6963b9729f26bae309f316be1
2010.0/x86_64/dovecot-1.2.15-0.1mdv2010.0.x86_64.rpm
f27bd0aa4321a50f81438ceb28e7afdf
2010.0/x86_64/dovecot-devel-1.2.15-0.1mdv2010.0.x86_64.rpm
f16efcfc0623def5190c36225d6b4fb0
2010.0/x86_64/dovecot-plugins-gssapi-1.2.15-0.1mdv2010.0.x86_64.rpm
dbd0b2d9d5e3345ea356914ae3039dca
2010.0/x86_64/dovecot-plugins-ldap-1.2.15-0.1mdv2010.0.x86_64.rpm
f5f7028181fa5da66aac7afe38867a0f
2010.0/x86_64/dovecot-plugins-managesieve-1.2.15-0.1mdv2010.0.x86_64.rpm
86483fa99bc562b0f60c5c040c682a7a
2010.0/x86_64/dovecot-plugins-mysql-1.2.15-0.1mdv2010.0.x86_64.rpm
6f0a630ba4b0a0e6597adda930042eff
2010.0/x86_64/dovecot-plugins-pgsql-1.2.15-0.1mdv2010.0.x86_64.rpm
3296ba8b59f6efa87b1ba4e22519d993
2010.0/x86_64/dovecot-plugins-sieve-1.2.15-0.1mdv2010.0.x86_64.rpm
e680d9ee9ada976e9c6ea879292cab33
2010.0/x86_64/dovecot-plugins-sqlite-1.2.15-0.1mdv2010.0.x86_64.rpm
7cdeb278f84d3b76dda11c3c553a393e
2010.0/SRPMS/dovecot-1.2.15-0.1mdv2010.0.src.rpm

Mandriva Linux 2010.1:
2731f51745c762cfab4d66cba6309175
2010.1/i586/dovecot-1.2.15-0.1mdv2010.1.i586.rpm
2287de86adbae6f0dba5554a44cadc5f
2010.1/i586/dovecot-devel-1.2.15-0.1mdv2010.1.i586.rpm
277acece0cf80d1b3be2621ad8282fd2
2010.1/i586/dovecot-plugins-gssapi-1.2.15-0.1mdv2010.1.i586.rpm
77e7aac7a9dbb78e407f18fff0e2a9c3
2010.1/i586/dovecot-plugins-ldap-1.2.15-0.1mdv2010.1.i586.rpm
4e4bbcc9da33d320765bea61031a75c7
2010.1/i586/dovecot-plugins-managesieve-1.2.15-0.1mdv2010.1.i586.rpm
5b32c80bae3715924e16b2d67ee61894
2010.1/i586/dovecot-plugins-mysql-1.2.15-0.1mdv2010.1.i586.rpm
3a0adc6c306eed6515b867cb34222160
2010.1/i586/dovecot-plugins-pgsql-1.2.15-0.1mdv2010.1.i586.rpm
2cc4f8af517d94d0d5bf5cd308ee8a31
2010.1/i586/dovecot-plugins-sieve-1.2.15-0.1mdv2010.1.i586.rpm
c16a48894cdd7531708f56d8aafa0df4
2010.1/i586/dovecot-plugins-sqlite-1.2.15-0.1mdv2010.1.i586.rpm
8cc9f2f095a8d7e3b464d7049b74cf52
2010.1/SRPMS/dovecot-1.2.15-0.1mdv2010.1.src.rpm

Mandriva Linux 2010.1/X86_64:
071057272f0405a630de36f6a1d2eb96
2010.1/x86_64/dovecot-1.2.15-0.1mdv2010.1.x86_64.rpm
2af648cf2d0352b1b912da8a09f917f4
2010.1/x86_64/dovecot-devel-1.2.15-0.1mdv2010.1.x86_64.rpm
644228dfccad5a1448a487eb7fe1d106
2010.1/x86_64/dovecot-plugins-gssapi-1.2.15-0.1mdv2010.1.x86_64.rpm
48f8b58f5d5980b8936d16ef818f4a88
2010.1/x86_64/dovecot-plugins-ldap-1.2.15-0.1mdv2010.1.x86_64.rpm
c67c94f4d89053ad2c7fe688c57b2524
2010.1/x86_64/dovecot-plugins-managesieve-1.2.15-0.1mdv2010.1.x86_64.rpm
b5c7e8430ddc4cd718669657597f1c7c
2010.1/x86_64/dovecot-plugins-mysql-1.2.15-0.1mdv2010.1.x86_64.rpm
70365efc4c102315abdfb25d24ef4f51
2010.1/x86_64/dovecot-plugins-pgsql-1.2.15-0.1mdv2010.1.x86_64.rpm
b63db34635907c36466c97ace31c1ec7
2010.1/x86_64/dovecot-plugins-sieve-1.2.15-0.1mdv2010.1.x86_64.rpm
a208a34c7448bb439603bb6ee2e56eec
2010.1/x86_64/dovecot-plugins-sqlite-1.2.15-0.1mdv2010.1.x86_64.rpm
8cc9f2f095a8d7e3b464d7049b74cf52
2010.1/SRPMS/dovecot-1.2.15-0.1mdv2010.1.src.rpm

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFMzCF3mqjQ0CJFipgRAuERAJ9xuqu9TdMIMsvem+1A1/ljZHkw5ACggX32
1Au0YeDEpCfC8B+FCBipws8=
=zUwy
-----END PGP SIGNATURE-----

Related

ubuntu 1
openvas 9
nessus 10
debian 2
securityvulns 1
oraclelinux 1
redhat 1
gentoo 1
debiancve 5
prion 5
ubuntucve 5
veracode 2
cve 5
ubuntu
ubuntu
Dovecot vulnerabilities
2011-02-07 00:00:00
openvas
openvas
Ubuntu Update for dovecot vulnerabilities USN-1059-1
2011-02-11 00:00:00
Mandriva Update for dovecot MDVSA-2010:217 (dovecot)
2010-11-16 00:00:00
Mandriva Update for dovecot MDVSA-2010:217 (dovecot)
2010-11-16 00:00:00
nessus
nessus
Ubuntu 10.04 LTS / 10.10 : dovecot vulnerabilities (USN-1059-1)
2011-02-08 00:00:00
Mandriva Linux Security Advisory : dovecot (MDVSA-2010:217)
2010-11-01 00:00:00
Scientific Linux Security Update : dovecot on SL6.x i386/x86_64
2012-08-01 00:00:00
debian
debian
BSA-006 Security Update for dovecot
2010-10-13 09:56:59
BSA-006 Security Update for dovecot
2010-10-12 21:45:52
securityvulns
securityvulns
Dovecot multiple security vulnerabilities
2010-11-02 00:00:00
oraclelinux
oraclelinux
dovecot security and enhancement update
2011-05-28 00:00:00
redhat
redhat
(RHSA-2011:0600) Moderate: dovecot security and enhancement update
2011-05-19 00:00:00
gentoo
gentoo
Dovecot: Multiple vulnerabilities
2011-10-10 00:00:00
debiancve
debiancve
CVE-2010-3779
2010-10-06 21:00:00
CVE-2010-3780
2010-10-06 21:00:00
CVE-2010-3706
2010-10-06 17:00:00
prion
prion
Design/Logic Flaw
2010-10-06 21:00:00
Code injection
2010-10-06 21:00:00
Cross site request forgery (csrf)
2010-10-06 17:00:00
ubuntucve
ubuntucve
CVE-2010-3779
2010-10-06 00:00:00
CVE-2010-3706
2010-10-06 00:00:00
CVE-2010-3780
2010-10-06 00:00:00
veracode
veracode
Denial Of Service (DoS)
2020-04-10 01:01:49
Access Control Bypass
2020-04-10 01:01:49
cve
cve
CVE-2010-3779
2010-10-06 21:00:00
CVE-2010-3780
2010-10-06 21:00:00
CVE-2010-3706
2010-10-06 17:00:00
JSON
Related for SECURITYVULNS:DOC:25041
ubuntu1openvas9nessus10debian2securityvulns1oraclelinux1redhat1gentoo1debiancve5prion5ubuntucve5veracode2cve5