[Mandriva] Mehrere Schwachstellen in Dovecot vor Version 1.1.4 – MDVSA-2008:232

[Mandriva] Mehrere Schwachstellen in Dovecot vor Version 1.1.4 - MDVSA-2008:232

Von

—–BEGIN PGP SIGNED MESSAGE—–

Liebe Kolleginnen und Kollegen,

soeben erreichte uns nachfolgendes Advisory von Mandriva Security.Wir
geben diese Informationen unveraendert an Sie weiter.

CVE-2008-4577 – Fehlerhafte Behandlung von Access Control Lists in
Dovecot

Besitzt ein Benutzer negative Zugriffsrechte auf Mailboxen, so werden
diese vom Dovecot Mailserver so behandelt, als waeren die Werte der
ACL-Eintraege positiv. Dies kann einem Benutzer ermoeglichen mit
erweiterten Rechten auf Daten zuzugreifen.

CVE-2008-4578 – Schwachstelle in Dovecots Anwendung von ACLs

Dovecot beinhaltet eine Schwachstelle bei der Anwendung von Access
Control Lists. Diese ermoeglicht Benutzern des Mailservers
untergeordnete Mailboxen neu anzulegen obwohl dies durch die ACL
verhindert werden sollte.

Betroffen sind die folgenden Software Pakete und Plattformen:

Paket dovecot

Mandriva Linux 2009.0
Mandriva Linux 2009.0/X86_64

Vom Hersteller werden ueberarbeitete Pakete zur Verfuegung gestellt.

Hersteller Advisory:
http://www.mandriva.com/security/advisories?name=MDVSA-2008:232

(c) der deutschen Zusammenfassung bei DFN-CERT Services GmbH; die
Verbreitung, auch auszugsweise, ist nur unter Hinweis auf den Urheber,
DFN-CERT Services GmbH, und nur zu nicht kommerziellen Zwecken
gestattet.

Mit freundlichen Gruessen,
Klaus Moeller, DFN-CERT

– —
Dipl. Inform. Klaus Moeller (Incident Response Team)
Phone: +49 40 808077-555, Fax: +49 40 808077-556

DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555
Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737
Sachsenstrase 5, 20097 Hamburg/Germany, CEO: Dr. Klaus-Peter Kossakowski

Automatische Warnmeldungen https://www.cert.dfn.de/autowarn

– —–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2008:232
http://www.mandriva.com/security/
_______________________________________________________________________

Package : dovecot
Date : November 19, 2008
Affected: 2009.0
_______________________________________________________________________

Problem Description:

The ACL plugin in dovecot prior to version 1.1.4 treated negative
access rights as though they were positive access rights, which allowed
attackers to bypass intended access restrictions (CVE-2008-4577).

The ACL plugin in dovecot prior to version 1.1.6 allowed attackers to
bypass intended access restrictions by using the ‘k’ right to create
unauthorized ‘parent/child/child’ mailboxes (CVE-2008-4578).

In addition, two bugs were discovered in the dovecot package shipped
with Mandriva Linux 2009.0. The default permissions on the dovecot.conf
configuration file were too restrictive, which prevents the use of
dovecot’s ‘deliver’ command as a non-root user. Secondly, dovecot
should not start until after ntpd, if ntpd is active, because if ntpd
corrects the time backwards while dovecot is running, dovecot will
quit automatically, with the log message ‘Time just moved backwards
by X seconds. This might cause a lot of problems, so I’ll just kill
myself now.’ The update resolves both these problems. The default
permissions on dovecot.conf now allow the ‘deliver’ command to read the
file. Note that if you edited dovecot.conf at all prior to installing
the update, the new permissions may not be applied. If you find the
‘deliver’ command still does not work following the update, please
run these commands as root:

# chmod 0640 /etc/dovecot.conf
# chown root:mail /etc/dovecot.conf

Dovecot’s initialization script now configures it to start after the
ntpd service, to ensure ntpd resetting the clock does not interfere
with Dovecot operation.

This package corrects the above-noted bugs and security issues by
upgrading to the latest dovecot 1.1.6, which also provides additional
bug fixes.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4577
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4578
https://qa.mandriva.com/44926
_______________________________________________________________________

Updated Packages:

Mandriva Linux 2009.0:
437fcab249d5274b3101bb7c953c2a79 2009.0/i586/dovecot-1.1.6-0.1mdv2009.0.i586.rpm
0ca908249ab050c56e61dadfd0fb1c33 2009.0/i586/dovecot-devel-1.1.6-0.1mdv2009.0.i586.rpm
48b2d085ef9a6a1c1dfcb55f3af6090b 2009.0/i586/dovecot-plugins-gssapi-1.1.6-0.1mdv2009.0.i586.rpm
8698367ab382293be85e3e7fb65b38ca 2009.0/i586/dovecot-plugins-ldap-1.1.6-0.1mdv2009.0.i586.rpm
c2878a5f597b8a9f66605df32cf65a06 2009.0/SRPMS/dovecot-1.1.6-0.1mdv2009.0.src.rpm

Mandriva Linux 2009.0/X86_64:
1c4936b072f401ea2c94c6c7b3d6b427 2009.0/x86_64/dovecot-1.1.6-0.1mdv2009.0.x86_64.rpm
5d869999de273e36c8bda186fb2610a0 2009.0/x86_64/dovecot-devel-1.1.6-0.1mdv2009.0.x86_64.rpm
9bc71b93dce1b7995039e0cbf7623803 2009.0/x86_64/dovecot-plugins-gssapi-1.1.6-0.1mdv2009.0.x86_64.rpm
264aaf2cbec7ef2ea7071f14b6bf174a 2009.0/x86_64/dovecot-plugins-ldap-1.1.6-0.1mdv2009.0.x86_64.rpm
c2878a5f597b8a9f66605df32cf65a06 2009.0/SRPMS/dovecot-1.1.6-0.1mdv2009.0.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team

– —–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFJJFP0mqjQ0CJFipgRAuoeAJ0WfJeaYMYjf3AqlqNMB5bgLqLUyACfVeUw
J+LV2A2JkunA7NIvHpNp96M=
=mVwB
– —–END PGP SIGNATURE—–
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.2 (GNU/Linux)

iQEVAwUBSSVS3UhXCWfrVVdXAQFRbAf6ApGBAcckQwjkY2imnGDnyIjfLWCaxkhP
FauJVUVyWrXcWtVp7dmcRfv+t4oUdyRSMFlCtaRLBIkpMWqyItMtmOD1U0tEYXN7
DEXJhxgQDbNutxE45EDGEozGYus1ZLYNtOvK0MemGYecJcA17IpYwLzyrmRqkDdJ
IKDExJjwL6V/lg0UkLAFlIOEepzeyc0gI4mUTZwnsFPbRSooqbzIWHdNAO9ANn1u
tDeQ+6LW4el4mcaQ+b8jHO+zWDz+cy8/qCDDryifjpUDl7R5mcuvIBgQKCChdY4X
bDJBeOc3WU6w1xfx2RWvDdaqehxfpLpJkWKhIS9VnP6m0UAeFyT8ng==
=lV3S
—–END PGP SIGNATURE—–

[Mandriva] Mehrere Schwachstellen in Dovecot vor Version 1.1.4 - MDVSA-2008:232

Von

—–BEGIN PGP SIGNED MESSAGE—–

Liebe Kolleginnen und Kollegen,

soeben erreichte uns nachfolgendes Advisory von Mandriva Security.Wir
geben diese Informationen unveraendert an Sie weiter.

CVE-2008-4577 – Fehlerhafte Behandlung von Access Control Lists in
Dovecot

Besitzt ein Benutzer negative Zugriffsrechte auf Mailboxen, so werden
diese vom Dovecot Mailserver so behandelt, als waeren die Werte der
ACL-Eintraege positiv. Dies kann einem Benutzer ermoeglichen mit
erweiterten Rechten auf Daten zuzugreifen.

CVE-2008-4578 – Schwachstelle in Dovecots Anwendung von ACLs

Dovecot beinhaltet eine Schwachstelle bei der Anwendung von Access
Control Lists. Diese ermoeglicht Benutzern des Mailservers
untergeordnete Mailboxen neu anzulegen obwohl dies durch die ACL
verhindert werden sollte.

Betroffen sind die folgenden Software Pakete und Plattformen:

Paket dovecot

Mandriva Linux 2009.0
Mandriva Linux 2009.0/X86_64

Vom Hersteller werden ueberarbeitete Pakete zur Verfuegung gestellt.

Hersteller Advisory:
http://www.mandriva.com/security/advisories?name=MDVSA-2008:232

(c) der deutschen Zusammenfassung bei DFN-CERT Services GmbH; die
Verbreitung, auch auszugsweise, ist nur unter Hinweis auf den Urheber,
DFN-CERT Services GmbH, und nur zu nicht kommerziellen Zwecken
gestattet.

Mit freundlichen Gruessen,
Klaus Moeller, DFN-CERT

– —
Dipl. Inform. Klaus Moeller (Incident Response Team)
Phone: +49 40 808077-555, Fax: +49 40 808077-556

DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555
Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737
Sachsenstrase 5, 20097 Hamburg/Germany, CEO: Dr. Klaus-Peter Kossakowski

Automatische Warnmeldungen https://www.cert.dfn.de/autowarn

– —–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2008:232
http://www.mandriva.com/security/
_______________________________________________________________________

Package : dovecot
Date : November 19, 2008
Affected: 2009.0
_______________________________________________________________________

Problem Description:

The ACL plugin in dovecot prior to version 1.1.4 treated negative
access rights as though they were positive access rights, which allowed
attackers to bypass intended access restrictions (CVE-2008-4577).

The ACL plugin in dovecot prior to version 1.1.6 allowed attackers to
bypass intended access restrictions by using the ‘k’ right to create
unauthorized ‘parent/child/child’ mailboxes (CVE-2008-4578).

In addition, two bugs were discovered in the dovecot package shipped
with Mandriva Linux 2009.0. The default permissions on the dovecot.conf
configuration file were too restrictive, which prevents the use of
dovecot’s ‘deliver’ command as a non-root user. Secondly, dovecot
should not start until after ntpd, if ntpd is active, because if ntpd
corrects the time backwards while dovecot is running, dovecot will
quit automatically, with the log message ‘Time just moved backwards
by X seconds. This might cause a lot of problems, so I’ll just kill
myself now.’ The update resolves both these problems. The default
permissions on dovecot.conf now allow the ‘deliver’ command to read the
file. Note that if you edited dovecot.conf at all prior to installing
the update, the new permissions may not be applied. If you find the
‘deliver’ command still does not work following the update, please
run these commands as root:

# chmod 0640 /etc/dovecot.conf
# chown root:mail /etc/dovecot.conf

Dovecot’s initialization script now configures it to start after the
ntpd service, to ensure ntpd resetting the clock does not interfere
with Dovecot operation.

This package corrects the above-noted bugs and security issues by
upgrading to the latest dovecot 1.1.6, which also provides additional
bug fixes.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4577
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4578
https://qa.mandriva.com/44926
_______________________________________________________________________

Updated Packages:

Mandriva Linux 2009.0:
437fcab249d5274b3101bb7c953c2a79 2009.0/i586/dovecot-1.1.6-0.1mdv2009.0.i586.rpm
0ca908249ab050c56e61dadfd0fb1c33 2009.0/i586/dovecot-devel-1.1.6-0.1mdv2009.0.i586.rpm
48b2d085ef9a6a1c1dfcb55f3af6090b 2009.0/i586/dovecot-plugins-gssapi-1.1.6-0.1mdv2009.0.i586.rpm
8698367ab382293be85e3e7fb65b38ca 2009.0/i586/dovecot-plugins-ldap-1.1.6-0.1mdv2009.0.i586.rpm
c2878a5f597b8a9f66605df32cf65a06 2009.0/SRPMS/dovecot-1.1.6-0.1mdv2009.0.src.rpm

Mandriva Linux 2009.0/X86_64:
1c4936b072f401ea2c94c6c7b3d6b427 2009.0/x86_64/dovecot-1.1.6-0.1mdv2009.0.x86_64.rpm
5d869999de273e36c8bda186fb2610a0 2009.0/x86_64/dovecot-devel-1.1.6-0.1mdv2009.0.x86_64.rpm
9bc71b93dce1b7995039e0cbf7623803 2009.0/x86_64/dovecot-plugins-gssapi-1.1.6-0.1mdv2009.0.x86_64.rpm
264aaf2cbec7ef2ea7071f14b6bf174a 2009.0/x86_64/dovecot-plugins-ldap-1.1.6-0.1mdv2009.0.x86_64.rpm
c2878a5f597b8a9f66605df32cf65a06 2009.0/SRPMS/dovecot-1.1.6-0.1mdv2009.0.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team

– —–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFJJFP0mqjQ0CJFipgRAuoeAJ0WfJeaYMYjf3AqlqNMB5bgLqLUyACfVeUw
J+LV2A2JkunA7NIvHpNp96M=
=mVwB
– —–END PGP SIGNATURE—–
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.2 (GNU/Linux)

iQEVAwUBSSVS3UhXCWfrVVdXAQFRbAf6ApGBAcckQwjkY2imnGDnyIjfLWCaxkhP
FauJVUVyWrXcWtVp7dmcRfv+t4oUdyRSMFlCtaRLBIkpMWqyItMtmOD1U0tEYXN7
DEXJhxgQDbNutxE45EDGEozGYus1ZLYNtOvK0MemGYecJcA17IpYwLzyrmRqkDdJ
IKDExJjwL6V/lg0UkLAFlIOEepzeyc0gI4mUTZwnsFPbRSooqbzIWHdNAO9ANn1u
tDeQ+6LW4el4mcaQ+b8jHO+zWDz+cy8/qCDDryifjpUDl7R5mcuvIBgQKCChdY4X
bDJBeOc3WU6w1xfx2RWvDdaqehxfpLpJkWKhIS9VnP6m0UAeFyT8ng==
=lV3S
—–END PGP SIGNATURE—–

© COMPUTEC MEDIA GmbH
Nach oben