Ubuntu Security Notice USN-593-1
26th March, 2008
dovecot vulnerabilities
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 7.10
- Ubuntu 7.04
- Ubuntu 6.10
- Ubuntu 6.06 LTS
Software description
- dovecot
Details
It was discovered that the default configuration of dovecot could allow
access to any email files with group "mail" without verifying that a user
had valid rights. An attacker able to create symlinks in their mail
directory could exploit this to read or delete another user's email.
(CVE-2008-1199)
By default, dovecot passed special characters to the underlying
authentication systems. While Ubuntu releases of dovecot are not known
to be vulnerable, the authentication routine was proactively improved
to avoid potential future problems. (CVE-2008-1218)
Update instructions
The problem can be corrected by updating your system to the following package version:
- Ubuntu 7.10:
- dovecot-pop3d 1:1.0.5-1ubuntu2.2
- dovecot-common 1:1.0.5-1ubuntu2.2
- dovecot-imapd 1:1.0.5-1ubuntu2.2
- Ubuntu 7.04:
- dovecot-pop3d 1.0.rc17-1ubuntu2.3
- dovecot-common 1.0.rc17-1ubuntu2.3
- dovecot-imapd 1.0.rc17-1ubuntu2.3
- Ubuntu 6.10:
- dovecot-pop3d 1.0.rc2-1ubuntu2.3
- dovecot-common 1.0.rc2-1ubuntu2.3
- dovecot-imapd 1.0.rc2-1ubuntu2.3
- Ubuntu 6.06 LTS:
- dovecot-pop3d 1.0.beta3-3ubuntu5.6
- dovecot-common 1.0.beta3-3ubuntu5.6
- dovecot-imapd 1.0.beta3-3ubuntu5.6
To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.
After a standard system upgrade, additional dovecot configuration changes
are needed.
ATTENTION: Due to an unavoidable configuration update, the dovecot
settings in /etc/dovecot/dovecot.conf need to be updated manually.
During the update, a configuration file conflict will be shown.
The default setting "mail_extra_groups = mail" should be changed to
"mail_privileged_group = mail". If your local configuration uses groups
other than "mail", you may need to use the new "mail_access_groups"
setting as well.