Forum: >>> Magnum BBS <<<

[SECURITY] [DSA 1892-1] New dovecot packages fix arbitrary code executi

From Steffen Joeris@1:229/2 to All on Wed Sep 23 18:40:05 2009

From: [email protected]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------ Debian Security Advisory DSA-1892-1 [email protected] http://www.debian.org/security/ Giuseppe Iuculano September 23, 2009 http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Packages : dovecot
Vulnerability : buffer overflow
Problem type : local (remote)
Debian-specific: no
CVE IDs : CVE-2009-2632 CVE-2009-3235
Debian Bug : 546656

It was discovered that the SIEVE component of dovecot, a mail server
that supports mbox and maildir mailboxes, is vulnerable to a buffer
overflow when processing SIEVE scripts. This can be used to elevate
privileges to the dovecot system user. An attacker who is able to
install SIEVE scripts executed by the server is therefore able to read
and modify arbitrary email messages on the system.

For the oldstable distribution (etch), this problem has been fixed in version 1.0.rc15-2etch5.

For the stable distribution (lenny), this problem has been fixed in version 1:1.0.15-2.3+lenny1.

For the testing distribution (squeeze) and the unstable distribution
(sid), this problem has been fixed in version 1:1.2.1-1.

We recommend that you upgrade your dovecot packages.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 4.0 alias etch
- -------------------------------

Debian (oldstable)
- ------------------

Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

http://security.debian.org/pool/updates/main/d/dovecot/dovecot_1.0.rc15-2etch5.diff.gz
Size/MD5 checksum: 105496 25968ea91265d9c79869fd13e1cf18a7
http://security.debian.org/pool/updates/main/d/dovecot/dovecot_1.0.rc15.orig.tar.gz
Size/MD5 checksum: 1463069 26f3d2b075856b1b1d180146363819e6
http://security.debian.org/pool/updates/main/d/dovecot/dovecot_1.0.rc15-2etch5.dsc
Size/MD5 checksum: 1017 69660b4d8bd4c443a9e6a445cee73ae4

alpha architecture (DEC Alpha)

http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch5_alpha.deb
Size/MD5 checksum: 583336 05cdd40c7eca4f076ebe18629d497b3b
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch5_alpha.deb
Size/MD5 checksum: 621512 58f8c92c7567a9c1ed6eee44979e7abf
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch5_alpha.deb
Size/MD5 checksum: 1378160 512ca0853d71066040c22daae6ff0e3a

amd64 architecture (AMD x86_64 (AMD64))

http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch5_amd64.deb
Size/MD5 checksum: 1224200 c43f474ed1a38e2b717463faf4a603a9
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch5_amd64.deb
Size/MD5 checksum: 536502 9bc2da44bcb81f7c1d5a3381bc02c950
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch5_amd64.deb
Size/MD5 checksum: 570646 7a5e8aa209ecee48bbc9daa5c5364788

arm architecture (ARM)

http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch5_arm.deb
Size/MD5 checksum: 506574 6a4be002eaaf4932161c03ef9a170e72
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch5_arm.deb
Size/MD5 checksum: 537184 d5d095c9771afaacfbd863f2f37700f6
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch5_arm.deb
Size/MD5 checksum: 1118568 c884c1632c4e20d9b6636806d2039b29

hppa architecture (HP PA RISC)

http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch5_hppa.deb
Size/MD5 checksum: 561854 1911ecd7f8336deb46986f3f37fae039
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch5_hppa.deb
Size/MD5 checksum: 1297502 a965f31d08deb751b26ca9a7b467aa9c
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch5_hppa.deb
Size/MD5 checksum: 600138 867931a360b0bfeea1f3e28dfb073bf7

i386 architecture (Intel ia32)

http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch5_i386.deb
Size/MD5 checksum: 514726 e2fe7ef8a944f84d59c4d13c2583f37f
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch5_i386.deb
Size/MD5 checksum: 547040 41d4f84120825e06e41ff079dabd0429
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch5_i386.deb
Size/MD5 checksum: 1135076 3e11a2b0f46ce7452760264a478a07a2

ia64 architecture (Intel ia64)

http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch5_ia64.deb
Size/MD5 checksum: 1702256 e292ef2a99bb7868fd131574b0dcb876
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch5_ia64.deb
Size/MD5 checksum: 737696 b3ee10e9ca9b771fb7f15ed508173628
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch5_ia64.deb
Size/MD5 checksum: 793994 888618682b965c75167249e9177aea29

mipsel architecture (MIPS (Little Endian))

http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch5_mipsel.deb
Size/MD5 checksum: 558948 c42d2f897b76a5635d45bc196dbb1fdf
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch5_mipsel.deb
Size/MD5 checksum: 1268494 800381d4b15c5857dabe79e37fd1003a
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch5_mipsel.deb
Size/MD5 checksum: 595020 33ff0bc5c3755320bd209d4837742a1a

powerpc architecture (PowerPC)

http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch5_powerpc.deb
Size/MD5 checksum: 1212206 dcef8ac28680d74ed0e3e2586cd3d056
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch5_powerpc.deb

[continued in next message]

--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)

Who's Online
Recent Visitors
- Ab Cadd
  Sat Jun 6 15:42:53 2026
  from Sheboygan, Wi via Telnet
- Centurion
  Sat Jun 6 15:32:28 2026
  from Berea, Ohio via Telnet
- Krenn
  Sat Jun 6 11:38:56 2026
  from Sydney, Nsw via Telnet
- Furryboy
  Sat Jun 6 10:56:29 2026
  from Romania, Galati via SSH
- Centurion
  Fri Jun 5 22:28:01 2026
  from Berea, Ohio via Telnet
- Ab Cadd
  Fri Jun 5 17:52:51 2026
  from Sheboygan, Wi via Telnet
- Gwylbert
  Fri Jun 5 06:28:52 2026
  from Sydney, Nsw via Telnet
- Centurion
  Thu Jun 4 23:42:23 2026
  from Berea, Ohio via Telnet

System Info

Sysop:	Keyop
Location:	Huddersfield, West Yorkshire, UK
Users:	715
Nodes:	16 (2 / 14)
Uptime:	149:40:23
Calls:	12,091
Calls today:	4
Files:	15,000
Messages:	6,517,583

[SECURITY] [DSA 1892-1] New dovecot packages fix arbitrary code executi

Who's Online

Recent Visitors

System Info