[gentoo-announce] [ GLSA 201110-04 ] - gentoo-announce

From:	Stefan Behte <craig@g.o>
To:	gentoo-announce@l.g.o
Cc:	bugtraq@×××××××××××××.com, full-disclosure@××××××××××××××.uk, security-alerts@×××××××××××××.com
Subject:	[gentoo-announce] [ GLSA 201110-04 ]
Date:	Mon, 10 Oct 2011 20:27:35
Message-Id:	`4E93542B.7050803@gentoo.org`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory                           GLSA 201110-04

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                            http://security.gentoo.org/

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

 Severity: High

8

    Title: Dovecot: Multiple vulnerabilities

9

     Date: October 10, 2011

10

     Bugs: #286844, #293954, #314533, #368653

11

       ID: 201110-04

12

13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

14

15

Synopsis

16

========

17

18

Multiple vulnerabilities were found in Dovecot, the worst of which

19

allowing for remote execution of arbitrary code.

20

21

Background

22

==========

23

24

Dovecot is an IMAP and POP3 server written with security primarily in

25

mind.

26

27

Affected packages

28

=================

29

30

    -------------------------------------------------------------------

31

     Package              /     Vulnerable     /            Unaffected

32

    -------------------------------------------------------------------

33

  1  net-mail/dovecot             < 2.0.13                 *>= 1.2.17

34

                                                            >= 2.0.13

35

36

Description

37

===========

38

39

Multiple vulnerabilities have been discovered in Dovecot. Please review

40

the CVE identifiers referenced below for details.

41

42

Impact

43

======

44

45

A remote attacker could exploit these vulnerabilities to cause the

46

remote execution of arbitrary code, or a Denial of Service condition,

47

to conduct directory traversal attacks, corrupt data, or disclose

48

information.

49

50

Workaround

51

==========

52

53

There is no known workaround at this time.

54

55

Resolution

56

==========

57

58

All Dovecot 1 users should upgrade to the latest version:

59

60

  # emerge --sync

61

  # emerge --ask --oneshot --verbose ">=net-mail/dovecot-1.2.17"

62

63

All Dovecot 2 users should upgrade to the latest version:

64

65

  # emerge --sync

66

  # emerge --ask --oneshot --verbose ">=net-mail/dovecot-2.0.13"

67

68

NOTE: This is a legacy GLSA. Updates for all affected architectures are

69

available since May 28, 2011. It is likely that your system is already

70

no longer affected by this issue.

71

72

References

73

==========

74

75

[  1 ] CVE-2009-3235

76

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3235

77

[  2 ] CVE-2009-3897

78

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3897

79

[  3 ] CVE-2010-0745

80

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0745

81

[  4 ] CVE-2010-3304

82

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3304

83

[  5 ] CVE-2010-3706

84

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3706

85

[  6 ] CVE-2010-3707

86

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3707

87

[  7 ] CVE-2010-3779

88

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3779

89

[  8 ] CVE-2010-3780

90

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3780

91

[  9 ] CVE-2011-1929

92

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1929

93

[ 10 ] CVE-2011-2166

94

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2166

95

[ 11 ] CVE-2011-2167

96

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2167

97

98

Availability

99

============

100

101

This GLSA and any updates to it are available for viewing at

102

the Gentoo Security Website:

103

104

 http://security.gentoo.org/glsa/glsa-201110-04.xml

105

106

Concerns?

107

=========

108

109

Security is a primary focus of Gentoo Linux and ensuring the

110

confidentiality and security of our users' machines is of utmost

111

importance to us. Any security concerns should be addressed to

112

security@g.o or alternatively, you may file a bug at

113

https://bugs.gentoo.org.

114

115

License

116

=======

117

118

Copyright 2011 Gentoo Foundation, Inc; referenced text

119

belongs to its owner(s).

120

121

The contents of this document are licensed under the

122

Creative Commons - Attribution / Share Alike license.

123

124

http://creativecommons.org/licenses/by-sa/2.5

Gentoo Archives: gentoo-announce

Attachments

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory GLSA 201110-04
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	http://security.gentoo.org/
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: High
8	Title: Dovecot: Multiple vulnerabilities
9	Date: October 10, 2011
10	Bugs: #286844, #293954, #314533, #368653
11	ID: 201110-04
12
13	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15	Synopsis
16	========
17
18	Multiple vulnerabilities were found in Dovecot, the worst of which
19	allowing for remote execution of arbitrary code.
20
21	Background
22	==========
23
24	Dovecot is an IMAP and POP3 server written with security primarily in
25	mind.
26
27	Affected packages
28	=================
29
30	-------------------------------------------------------------------
31	Package / Vulnerable / Unaffected
32	-------------------------------------------------------------------
33	1 net-mail/dovecot < 2.0.13 *>= 1.2.17
34	>= 2.0.13
35
36	Description
37	===========
38
39	Multiple vulnerabilities have been discovered in Dovecot. Please review
40	the CVE identifiers referenced below for details.
41
42	Impact
43	======
44
45	A remote attacker could exploit these vulnerabilities to cause the
46	remote execution of arbitrary code, or a Denial of Service condition,
47	to conduct directory traversal attacks, corrupt data, or disclose
48	information.
49
50	Workaround
51	==========
52
53	There is no known workaround at this time.
54
55	Resolution
56	==========
57
58	All Dovecot 1 users should upgrade to the latest version:
59
60	# emerge --sync
61	# emerge --ask --oneshot --verbose ">=net-mail/dovecot-1.2.17"
62
63	All Dovecot 2 users should upgrade to the latest version:
64
65	# emerge --sync
66	# emerge --ask --oneshot --verbose ">=net-mail/dovecot-2.0.13"
67
68	NOTE: This is a legacy GLSA. Updates for all affected architectures are
69	available since May 28, 2011. It is likely that your system is already
70	no longer affected by this issue.
71
72	References
73	==========
74
75	[ 1 ] CVE-2009-3235
76	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3235
77	[ 2 ] CVE-2009-3897
78	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3897
79	[ 3 ] CVE-2010-0745
80	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0745
81	[ 4 ] CVE-2010-3304
82	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3304
83	[ 5 ] CVE-2010-3706
84	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3706
85	[ 6 ] CVE-2010-3707
86	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3707
87	[ 7 ] CVE-2010-3779
88	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3779
89	[ 8 ] CVE-2010-3780
90	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3780
91	[ 9 ] CVE-2011-1929
92	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1929
93	[ 10 ] CVE-2011-2166
94	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2166
95	[ 11 ] CVE-2011-2167
96	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2167
97
98	Availability
99	============
100
101	This GLSA and any updates to it are available for viewing at
102	the Gentoo Security Website:
103
104	http://security.gentoo.org/glsa/glsa-201110-04.xml
105
106	Concerns?
107	=========
108
109	Security is a primary focus of Gentoo Linux and ensuring the
110	confidentiality and security of our users' machines is of utmost
111	importance to us. Any security concerns should be addressed to
112	security@g.o or alternatively, you may file a bug at
113	https://bugs.gentoo.org.
114
115	License
116	=======
117
118	Copyright 2011 Gentoo Foundation, Inc; referenced text
119	belongs to its owner(s).
120
121	The contents of this document are licensed under the
122	Creative Commons - Attribution / Share Alike license.
123
124	http://creativecommons.org/licenses/by-sa/2.5