USN-1059-1: Dovecot vulnerabilities

Releases

• Ubuntu 10.10
• Ubuntu 10.04

Packages

• dovecot -

Details

It was discovered that the ACL plugin in Dovecot would incorrectly
propagate ACLs to new mailboxes. A remote authenticated user could possibly
read new mailboxes that were created with the wrong ACL. (CVE-2010-3304)

It was discovered that the ACL plugin in Dovecot would incorrectly merge
ACLs in certain circumstances. A remote authenticated user could possibly
bypass intended access restrictions and gain access to mailboxes.
(CVE-2010-3706, CVE-2010-3707)

It was discovered that the ACL plugin in Dovecot would incorrectly grant
the admin permission to owners of certain mailboxes. A remote authenticated
user could possibly bypass intended access restrictions and gain access to
mailboxes. (CVE-2010-3779)

It was discovered that Dovecot incorrecly handled the simultaneous
disconnect of a large number of sessions. A remote authenticated user could
use this flaw to cause Dovecot to crash, resulting in a denial of service.
(CVE-2010-3780)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 10.10

• dovecot-common - 1:1.2.12-1ubuntu8.1

Ubuntu 10.04

• dovecot-common - 1:1.2.9-1ubuntu6.3

In general, a standard system update will make all the necessary changes.

References

• CVE-2010-3779
• CVE-2010-3707
• CVE-2010-3706
• CVE-2010-3780
• CVE-2010-3304