[Bug 307291] Re: Security hole in ManageSieve: Virtual users can edit scripts of other virtual users

Launchpad Bug Tracker 307291 at bugs.launchpad.net
Fri Feb 13 03:05:07 GMT 2009 

This bug was fixed in the package dovecot - 1:1.1.11-0ubuntu1

---------------
dovecot (1:1.1.11-0ubuntu1) jaunty; urgency=low

  [ Ante Karamatic ]
    Add new binary pkg dovecot-postfix that integrates postfix and dovecot
    automatically: (LP: #164837)
    - debian/control:
      + add new binary with short description.
    - debian/dovecot-postfix.postinst:
      + create initial certificate symlinks to snakeoil.
      + set up postfix with postconf to:
        - use Maildir/ as the default mailbox.
        - use dovecot as the sasl authentication  server.
        - use dovecot LDA (deliver).
        - use tls for smtp{d} services.
      + restart postfix and dovecot.
    - debian/dovecot-postfix.postrm:
      + remove all dovecot related configuration from postfix.
      + restart postfix and dovecot.
    - debian/dovecot-common.init:
      + check if /etc/dovecot/dovecot-postfix.conf exists and use it
        as the configuration file if so.
    - debian/patches/warning-ubuntu-postfix.dpatch
      + add warning about dovecot-postfix.conf in dovecot default
        configuration file.
    - debian/patches/dovecot-postfix.conf.diff:
      + Ubuntu server custom changes to the default dovecot configuration for
        better integration with postfix:
        - enable imap, pop3, imaps, pop3s and managesieve by default.
        - enable dovecot LDA (deliver).
        - enable SASL auth socket in postfix private directory.
    - debian/rules:
      + copy, patch and install dovecot-postfix.conf in /etc/dovecot/.

  [ Mathias Gug ]
  * New upstream release:
  * Update dovecot-managesieve to 0.10.5. Fixes:
    - check if names of sieve scripts contain '/' (LP: #307291)
  * Update dovecot-managesieve patch for 1.1.11 and 0.10.5.
  * Update dovecot-sieve plugin to 1.1.6.
  * Merge from debian experimental, remaining changes:
    - Use Snakeoil SSL certificates by default.
      + debian/control: Depend on ssl-cert
      + debian/paptches/ssl-cert-snakeoil.dpatch: Change default SSL cert
        paths to snakeoil.
      + debian/dovecot-common.postinst: Relax grep for SSL_* a bit.
    - Add autopkgtest in debian/tests/*.
    - debian/dovecot-common.init: Check to see if there is an /etc/inetd.conf.
      (LP: #208411)
    - Fast TearDown: Update lsb init header to not stop in level 6.
    - Add status action to the init script:
      + debian/control: Depend on lsb >= 3.2.12ubuntu3.
      + debian/dovecot-common-init: Add the 'status' action (LP: #247096).
    - debian/rules:
      - Copy config.{guess,sub} after running libtoolize.
      - Clean dovecot-managesieve directory.
    - Add ufw integration:
      - Created debian/dovecot-common.ufw.profile
      - debian/rules:
        + install profile
      - debian/control
        + Suggest ufw
    - debian/{control,rules}: enable PIE hardening.
    - Updated dovecot.common.README.Debian with information on what has changed
      between 1.0 and 1.1.1. Fixes (LP: #257625)
    - dovecot-imapd, dovecot-pop3: Replaces dovecot-common (<< 1:1.1). LP: #254721.
    - debian/control:
      + Update Vcs-* headers.
  * debian/rules:
    - Create emtpy stamp.h.in files in dovecot-sieve/ and dovecot-managesieve/
      if they're not there since empty files are not included in the diff.gz
      file.
  * Dropped:
    - debian/patches/fix-message-parser.dpatch: Parsing an invalid message
      address like "From: (" caused an assert-crash. (LP: #290901).
      (CVE-2008-4907 - fixed in 1.1.6)
    - debian/patches/login-max-process-count-warning.dpatch: Tell the user
      that they have reached the maximum number of processes count.
      (LP: #189616) - Different implementation from upstream.
    - debian/patches/fix-dovecot-sieve.dpatch: Fixes assertion error
      when a header string ends with a LF (LP: #264306). Implemented upstream.
    - Don't fail in postinst if dovecot-{sql,ldap} is missing. (LP: #153161)

dovecot (1:1.1.9-1) experimental; urgency=low

  [ Fabio Tranchitella ]
  * debian/control: dovecot-common suggests ntp.

  [ Joel Johnson ]
  * New upstream release
  * updated managesieve patch to apply against new version

dovecot (1:1.1.8-1) experimental; urgency=low

  * New upstream release.
  * debian/control: added LDA to the description of dovecot-common.

dovecot (1:1.1.7-1) experimental; urgency=low

  * New upstream release
  * Updated dovecot-ssh.patch for new release
  * Updated MANAGESIEVE to 0.10.4
  * Fix package to support double compilation
    - Properly clean dovecot-managesieve as pointed out by Stephan Bosch
    - Add --copy directive to automake invocation

 -- Mathias Gug <mathiaz at ubuntu.com>   Thu, 12 Feb 2009 21:45:09 -0500

** Changed in: dovecot (Ubuntu)
       Status: New => Fix Released

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2008-4907

-- 
Security hole in ManageSieve: Virtual users can edit scripts of other virtual users
https://bugs.launchpad.net/bugs/307291
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to dovecot in ubuntu.

More information about the Ubuntu-server-bugs mailing list