Jump to content

Advisories MDVSA-2010:217: dovecot


paul
 Share

Recommended Posts

Multiple vulnerabilities was discovered and corrected in dovecot:

 

Dovecot 1.2.x before 1.2.15 and 2.0.x before 2.0.beta2 grants the admin

permission to the owner of each mailbox in a non-public namespace,

which might allow remote authenticated users to bypass intended access

restrictions by changing the ACL of a mailbox, as demonstrated by a

symlinked shared mailbox (CVE-2010-3779).

 

Dovecot 1.2.x before 1.2.15 allows remote authenticated users to

cause a denial of service (master process outage) by simultaneously

disconnecting many (1) IMAP or (2) POP3 sessions (CVE-2010-3780).

 

The ACL plugin in Dovecot 1.2.x before 1.2.13 propagates INBOX ACLs to

newly created mailboxes in certain configurations, which might allow

remote attackers to read mailboxes that have unintended weak ACLs

(CVE-2010-3304).

 

plugins/acl/acl-backend-vfile.c in Dovecot 1.2.x before 1.2.15

and 2.0.x before 2.0.5 interprets an ACL entry as a directive to

add to the permissions granted by another ACL entry, instead of a

directive to replace the permissions granted by another ACL entry,

in certain circumstances involving the private namespace of a user,

which allows remote authenticated users to bypass intended access

restrictions via a request to read or modify a mailbox (CVE-2010-3706).

 

plugins/acl/acl-backend-vfile.c in Dovecot 1.2.x before 1.2.15 and

2.0.x before 2.0.5 interprets an ACL entry as a directive to add to

the permissions granted by another ACL entry, instead of a directive

to replace the permissions granted by another ACL entry, in certain

circumstances involving more specific entries that occur after less

specific entries, which allows remote authenticated users to bypass

intended access restrictions via a request to read or modify a mailbox

(CVE-2010-3707).

 

This advisory provides dovecot 1.2.15 which is not vulnerable to

these issues

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

×
×
  • Create New...