-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------ Debian Security Advisory DSA 1359-1 security@debian.org http://www.debian.org/security/ Steve Kemp August 28th, 2007 http://www.debian.org/security/faq - ------------------------------------------------------------------------ Package : dovecot Vulnerability : directory traversal Problem type : remote Debian-specific: no CVE Id(s) : CVE-2007-2231 It was discovered that dovecot, a secure mail server that supports mbox and maildir mailboxes, when configured to use non-system-user spools and compressed folders, may allow directory traversal in mailbox names. For the stable distribution (etch), this problem has been fixed in version 1.0.rc15-2etch1. For the old stable distribution (sarge), this problem was not present. For the unstable distribution this problem with be fixed soon. We recommend that you upgrade your dovecot package. Upgrade instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - -------------------------------- Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/d/dovecot/dovecot_1.0.rc15-2etch1.dsc Size/MD5 checksum: 1007 cde4bffef0b1c78324bc8adc6354eaa4 http://security.debian.org/pool/updates/main/d/dovecot/dovecot_1.0.rc15.orig.tar.gz Size/MD5 checksum: 1463069 26f3d2b075856b1b1d180146363819e6 http://security.debian.org/pool/updates/main/d/dovecot/dovecot_1.0.rc15-2etch1.diff.gz Size/MD5 checksum: 94823 fbf56611ccca44cee2a4663c8fbb56c0 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch1_alpha.deb Size/MD5 checksum: 618818 3b125c8d36e45fede3d73464a5e7f12a http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch1_alpha.deb Size/MD5 checksum: 1373836 97c909a2774519f3d04a33c74212cb05 http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch1_alpha.deb Size/MD5 checksum: 580708 d840ccd638850f72014e89641fbe9569 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch1_amd64.deb Size/MD5 checksum: 534118 8869870afff4eb25559457faece371d4 http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch1_amd64.deb Size/MD5 checksum: 568180 ebf3cfcb5343f48379ef14989a9482ef http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch1_amd64.deb Size/MD5 checksum: 1224650 79fbf3019551461c68197a5e5f6a6620 arm architecture (ARM) http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch1_arm.deb Size/MD5 checksum: 1116470 a3774a96d2daf2534613cd75e9044726 http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch1_arm.deb Size/MD5 checksum: 503858 45c610525a211f80462ee8a30b997b98 http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch1_arm.deb Size/MD5 checksum: 534534 e7af01554616f50b38b63e76a0035402 hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch1_hppa.deb Size/MD5 checksum: 1293812 b77e446a414f88c05aa073c663e1aff3 http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch1_hppa.deb Size/MD5 checksum: 596290 207bcda07cad9d263b4543c87788553d http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch1_hppa.deb Size/MD5 checksum: 559686 bab920cd7543cfaea2a76e03cc087d51 i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch1_i386.deb Size/MD5 checksum: 1127680 80fab6db53d353058b801e5ad42cd305 http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch1_i386.deb Size/MD5 checksum: 511940 b773c45daa6483d02af9f4f702a538f7 http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch1_i386.deb Size/MD5 checksum: 544082 d4685011b8c8359f849a2fc3f65cb0b3 ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch1_ia64.deb Size/MD5 checksum: 789702 84fb674f3f568db180c41cfb21088d5f http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch1_ia64.deb Size/MD5 checksum: 1694430 e4c5c30e65312e92ec151d55f308c473 http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch1_ia64.deb Size/MD5 checksum: 733296 4b718887ebdcc88600999e0270e12ec0 mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch1_mips.deb Size/MD5 checksum: 593030 1af3fc78abbcf4f0c9aece1fad08b624 http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch1_mips.deb Size/MD5 checksum: 557018 3bcd83e867f03d1dfac558f1df1a7ca5 http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch1_mips.deb Size/MD5 checksum: 1258216 833f0f974dfe83db4d3cab0351f4c33b mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch1_mipsel.deb Size/MD5 checksum: 1263156 b8c3335d051c0be6b2923f5e939594cd http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch1_mipsel.deb Size/MD5 checksum: 592544 61b1b479bb89219e9493c8140913ff07 http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch1_mipsel.deb Size/MD5 checksum: 556560 67fd4d0ba283209202c0b4564a2ae74a s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch1_s390.deb Size/MD5 checksum: 1284486 5b39d3b4db4ab8f4360406037e118a88 http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch1_s390.deb Size/MD5 checksum: 592810 7361ea663e14012502c9821e9d2fdf70 http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch1_s390.deb Size/MD5 checksum: 557544 1dce29ac718f481894db452aef8c783d sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch1_sparc.deb Size/MD5 checksum: 1103380 47e7f2cf8d8276ee941ab7332ad356ab http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch1_sparc.deb Size/MD5 checksum: 531158 41e6f8e91ddc0bda4089aa1e1ac97432 http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch1_sparc.deb Size/MD5 checksum: 499596 4bdaaa9e12ef03ee5800c1b291970479 These files will probably be moved into the stable distribution on its next update. - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show ' and http://packages.debian.org/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFG1GIhwM/Gs81MDZ0RAu2+AKClyc+Hp8T8rfMqjq5UaMnBYLo1BgCg3RHL qAHaDowybNaXwDlnofswnAg= =KY3M -----END PGP SIGNATURE-----