[Dovecot] [SECURITY] [DSA 1080-1] New dovecot packages fix directory traversal

Tom Metro tmetro+dovecot at vl.com
Mon May 29 21:05:59 EEST 2006 

Timo Sirainen wrote:
> Unfortunately we have our first problem that could really be counted as
> security hole.
> 
> Giving "1 LIST .. *" IMAP command allows the user to see all files and
> directories under the mbox root's parent directory, so potentially you
> could see other users' mailbox names. Nothing can be done with them
> though, so it's not possible to read or modify them.
...
> This affects 1.0 beta and 1.0 stable releases, but not 0.99.x.

FYI, I believe the Debian Security Announcement below corresponds with 
the above issue, and indicates that patched packages are now available.

  -Tom


-------- Original Message --------
Subject: [SECURITY] [DSA 1080-1] New dovecot packages fix directory 
traversal
Resent-Date: Mon, 29 May 2006 02:07:15 -0500 (CDT)
Resent-From: debian-security-announce at lists.debian.org
Date: Mon, 29 May 2006 09:05:36 +0200 (CEST)
From: joey at infodrom.org (Steve Kemp)
Reply-To: debian-security at lists.debian.org
To: debian-security-announce at lists.debian.org (Debian Security 
Announcements)

--------------------------------------------------------------------------
Debian Security Advisory DSA 1080-1                  security at debian.org
http://www.debian.org/security/                               Steve Kemp
May 29th, 2006                        http://www.debian.org/security/faq
--------------------------------------------------------------------------

Package        : dovecot
Vulnerability  : programming error
Problem type   : remote
Debian-specific: no
CVE ID         : CVE-2006-2414

A problem has been discovered in the IMAP component of Dovecot, a
secure mail server that supports mbox and maildir mailboxes, which can
lead to information disclosure via directory traversal by
authenticated users.

The old stable distribution (woody) is not affected by this problem.

For the stable distribution (sarge) this problem has been fixed in
version 0.99.14-1sarge0.

For the unstable distribution (sid) this problem has been fixed in
version 1.0beta8-1.

We recommend that you upgrade your dovecot-imapd package.


Upgrade Instructions
- --------------------
[...]
If you are using the apt-get package manager, use the line for
sources.list as given at the end of this advisory:

apt-get update
         will update the internal database
apt-get upgrade
         will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

[...]
--------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security 
dists/stable/updates/main
Mailing list: debian-security-announce at lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
[...]

More information about the dovecot mailing list