Bug#557601: marked as done (v1.2.8 fixes a security problem in v1.2 releases.)

Tue, 24 Nov 2009 09:10:57 -0800 

Your message dated Tue, 24 Nov 2009 17:02:40 +0000
with message-id <[email protected]>
and subject line Bug#557601: fixed in dovecot 1:1.2.8-1
has caused the Debian Bug report #557601,
regarding v1.2.8 fixes a security problem in v1.2 releases.
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
557601: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=557601
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: dovecot
Severity: critical
Tags: security

from http://www.dovecot.org/list/dovecot-news/2009-November/000143.html

This is mainly to fix the 0777 base_dir creation issue, which could be
considered a security hole, exploitable by local users. An attacker
could for example replace Dovecot's auth socket and log in as other
users. Gaining root privileges isn't possible though.

This affects only v1.2 users, v1.1 and older versions were creating the
directory with 0755 permission.


-- System Information:
Debian Release: squeeze/sid
  APT prefers stable
  APT policy: (700, 'stable'), (650, 'testing'), (600, 'unstable'), (500, 
'oldstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-rc8-sonne (SMP w/2 CPU cores; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

--- End Message ---
--- Begin Message --- 
Source: dovecot
Source-Version: 1:1.2.8-1

We believe that the bug you reported is fixed in the latest version of
dovecot, which is due to be installed in the Debian FTP archive:

dovecot-common_1.2.8-1_i386.deb
  to main/d/dovecot/dovecot-common_1.2.8-1_i386.deb
dovecot-dbg_1.2.8-1_i386.deb
  to main/d/dovecot/dovecot-dbg_1.2.8-1_i386.deb
dovecot-dev_1.2.8-1_i386.deb
  to main/d/dovecot/dovecot-dev_1.2.8-1_i386.deb
dovecot-imapd_1.2.8-1_i386.deb
  to main/d/dovecot/dovecot-imapd_1.2.8-1_i386.deb
dovecot-pop3d_1.2.8-1_i386.deb
  to main/d/dovecot/dovecot-pop3d_1.2.8-1_i386.deb
dovecot_1.2.8-1.debian.tar.gz
  to main/d/dovecot/dovecot_1.2.8-1.debian.tar.gz
dovecot_1.2.8-1.dsc
  to main/d/dovecot/dovecot_1.2.8-1.dsc
dovecot_1.2.8.orig.tar.gz
  to main/d/dovecot/dovecot_1.2.8.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jaldhar H. Vyas <[email protected]> (supplier of updated dovecot package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 23 Nov 2009 17:04:14 -0500
Source: dovecot
Binary: dovecot-common dovecot-dev dovecot-imapd dovecot-pop3d dovecot-dbg
Architecture: source i386
Version: 1:1.2.8-1
Distribution: unstable
Urgency: high
Maintainer: Dovecot Maintainers <[email protected]>
Changed-By: Jaldhar H. Vyas <[email protected]>
Description: 
 dovecot-common - secure mail server that supports mbox and maildir mailboxes
 dovecot-dbg - debug symbols for Dovecot
 dovecot-dev - header files for the dovecot mail server
 dovecot-imapd - secure IMAP server that supports mbox and maildir mailboxes
 dovecot-pop3d - secure POP3 server that supports mbox and maildir mailboxes
Closes: 554710 557601
Changes: 
 dovecot (1:1.2.8-1) unstable; urgency=high
 .
   [ Marco Nenciarini ]
   * New upstream release. (Closes: #557601)
   * Added myself to uploaders.
   * Switched to the new source format "3.0 (quilt)":
     - removed dpatch from build-depends
     - removed debian/README.source because now we use only standard
       dpkg features
     - regenerated all patches
   * Prepared to switch to multi-origin source:
     - recreated dovecot-libsieve.patch and dovecot-managesieve-dist.patch
       starting from the upstream tarball
     - removed all autotools related build-depends and build-conflict
     - renamed dovecot-libsieve and dovecot-managesieve directories
       to libsieve and managesieve.
   * debian/rules: Moved the configuration of libsieve and managesieve from
     the build phase to the configuration phase
 .
   [ Jaldhar H. Vyas ]
   * Added dovecot-dbg package  with debugging symbols.  Thanks Stephan Bosch.
     (Closes: #554710)
   * Fixed some stray libexec'isms in the default configuration.
Checksums-Sha1: 
 34ff09f73555e53b0afea9787adb0afef8704a58 1655 dovecot_1.2.8-1.dsc
 ded015aa8094070a7315840a9a329e97de93a85d 2702887 dovecot_1.2.8.orig.tar.gz
 babbeed4bf26e8cff09ebe0f27980e67cdf27ab9 1396712 dovecot_1.2.8-1.debian.tar.gz
 8eef59656edf5c2e974cc125f94d699c169ed63b 5295814 
dovecot-common_1.2.8-1_i386.deb
 bd514f65d70fc73a2c68af9bfb93127d56b7cfdb 651744 dovecot-dev_1.2.8-1_i386.deb
 9783bf5bce690cf753bfbc335116c4dea435d3d4 1109340 dovecot-imapd_1.2.8-1_i386.deb
 ba8375c0022387e026074a4affad979349dd4591 1014604 dovecot-pop3d_1.2.8-1_i386.deb
 705090fac285c83e809a76eb099f28709f1944da 15915642 dovecot-dbg_1.2.8-1_i386.deb
Checksums-Sha256: 
 0a92c2ca208ee5db11abbe8a3665e374980bc7c02bb4559bac264a8127e47077 1655 
dovecot_1.2.8-1.dsc
 145c5dd8519d526c4bc2c1b4d6b5eeb09ba000f57fe5e16af1f72a73acc788c7 2702887 
dovecot_1.2.8.orig.tar.gz
 b475a695d17a7e531d80bee25b74e40e507557f73b83de18b4d4e4784f285abc 1396712 
dovecot_1.2.8-1.debian.tar.gz
 2917ec2178253db74ada06bd910a8111b41d99c949b8d1e69b628759b03f86da 5295814 
dovecot-common_1.2.8-1_i386.deb
 af42ce67fb3c02e1da77a56dfaa886d49cceff3259e798f370259b7937bd0182 651744 
dovecot-dev_1.2.8-1_i386.deb
 439c7b22a10aa2b9430c5d9f475a737a9bffc05950b165297d87c09a0814fefb 1109340 
dovecot-imapd_1.2.8-1_i386.deb
 362d6bb001890f8a0deceee7a229cc553a6470a4ea05f45b1511925ca407ca82 1014604 
dovecot-pop3d_1.2.8-1_i386.deb
 a1a4145caf1f1cfb925522694d46cf5cc9a2e351942a74beaf83deb633dbf7aa 15915642 
dovecot-dbg_1.2.8-1_i386.deb
Files: 
 8e36844188199531c39ae149b855d8f5 1655 mail optional dovecot_1.2.8-1.dsc
 c6d6c061413d299ccea7b55c3e4faa0a 2702887 mail optional 
dovecot_1.2.8.orig.tar.gz
 1e3c807fa1f6df3f9f8714ea2c5108ae 1396712 mail optional 
dovecot_1.2.8-1.debian.tar.gz
 78992c80aadb4356458ec583efc86d2e 5295814 mail optional 
dovecot-common_1.2.8-1_i386.deb
 fdad77439c0400e9ef3de04a44b1ca5d 651744 mail optional 
dovecot-dev_1.2.8-1_i386.deb
 2a95606667c74b114d6aee9a260b4231 1109340 mail optional 
dovecot-imapd_1.2.8-1_i386.deb
 268fe32df7386e961a7c4ba9afb290a7 1014604 mail optional 
dovecot-pop3d_1.2.8-1_i386.deb
 9040827f48cd6831f8566f8319fe71c0 15915642 debug extra 
dovecot-dbg_1.2.8-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAksLCroACgkQ2kYOR+5txmreBACeJdC0lJm5Fu1u5jWd+CSxBzjf
fz4An2S01Wp1pnXEsG7OPeSj44B1On3B
=hN0O
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to