Synopsis: Low: dovecot security and bug fix update
Issue Date: 2013-02-21
CVE Numbers: CVE-2011-2166
CVE-2011-2167
CVE-2011-4318
—
Two flaws were found in the way some settings were enforced by the script-login
functionality of Dovecot. A remote, authenticated user could use these flaws to
bypass intended access restrictions or conduct a directory traversal attack by
leveraging login scripts. (CVE-2011-2166, CVE-2011-2167)
A flaw was found in the way Dovecot performed remote server identity
verification, when it was configured to proxy IMAP and POP3 connections to
remote hosts using TLS/SSL protocols. A remote attacker could use this flaw to
conduct man-in-the-middle attacks using an X.509 certificate issued by a
trusted Certificate Authority (for a different name). (CVE-2011-4318)
This update also fixes the following bug:
* When a new user first accessed their IMAP inbox, Dovecot was, under some
circumstances, unable to change the group ownership of the inbox directory in
the user’s Maildir location to match that of the user’s mail spool
(/var/mail/$USER). This correctly generated an “Internal error occurred”
message. However, with a subsequent attempt to access the inbox, Dovecot saw
that the directory already existed and proceeded with its operation, leaving
the directory with incorrectly set permissions. This update corrects the
underlying permissions setting error. When a new user now accesses their inbox
for the first time, and it is not possible to set group ownership, Dovecot
removes the created directory and generates an error message instead of keeping
the directory with incorrect group ownership.
After installing the updated packages, the dovecot service will be restarted
automatically.
—
SL6
x86_64
dovecot-2.0.9-5.el6.i686.rpm
dovecot-2.0.9-5.el6.x86_64.rpm
dovecot-debuginfo-2.0.9-5.el6.i686.rpm
dovecot-debuginfo-2.0.9-5.el6.x86_64.rpm
dovecot-mysql-2.0.9-5.el6.x86_64.rpm
dovecot-pgsql-2.0.9-5.el6.x86_64.rpm
dovecot-pigeonhole-2.0.9-5.el6.x86_64.rpm
dovecot-devel-2.0.9-5.el6.x86_64.rpm
i386
dovecot-2.0.9-5.el6.i686.rpm
dovecot-debuginfo-2.0.9-5.el6.i686.rpm
dovecot-mysql-2.0.9-5.el6.i686.rpm
dovecot-pgsql-2.0.9-5.el6.i686.rpm
dovecot-pigeonhole-2.0.9-5.el6.i686.rpm
dovecot-devel-2.0.9-5.el6.i686.rpm
– Scientific Linux Development Team
