Oval Definition:oval:org.mitre.oval:def:27001
Revision Date:2014-12-08Version:9
Title:RHSA-2013:0520 -- dovecot security and bug fix update (Low)
Description:Dovecot is an IMAP server, written with security primarily in mind, forLinux and other UNIX-like systems. It also contains a small POP3 server. Itsupports mail in either of maildir or mbox formats. The SQL drivers andauthentication plug-ins are provided as sub-packages.Two flaws were found in the way some settings were enforced by thescript-login functionality of Dovecot. A remote, authenticated user coulduse these flaws to bypass intended access restrictions or conduct adirectory traversal attack by leveraging login scripts. (CVE-2011-2166,CVE-2011-2167)A flaw was found in the way Dovecot performed remote server identityverification, when it was configured to proxy IMAP and POP3 connections toremote hosts using TLS/SSL protocols. A remote attacker could use this flawto conduct man-in-the-middle attacks using an X.509 certificate issued bya trusted Certificate Authority (for a different name). (CVE-2011-4318)This update also fixes the following bug:* When a new user first accessed their IMAP inbox, Dovecot was, under somecircumstances, unable to change the group ownership of the inbox directoryin the user's Maildir location to match that of the user's mail spool(/var/mail/$USER). This correctly generated an "Internal error occurred"message. However, with a subsequent attempt to access the inbox, Dovecotsaw that the directory already existed and proceeded with its operation,leaving the directory with incorrectly set permissions. This updatecorrects the underlying permissions setting error. When a new user nowaccesses their inbox for the first time, and it is not possible to setgroup ownership, Dovecot removes the created directory and generates anerror message instead of keeping the directory with incorrect groupownership. (BZ#697620)Users of dovecot are advised to upgrade to these updated packages, whichcontain backported patches to correct these issues. After installing theupdated packages, the dovecot service will be restarted automatically.
Family:unixClass:patch
Status:ACCEPTEDReference(s):CESA-2013:0520
CVE-2011-2166
CVE-2011-2167
CVE-2011-4318
RHSA-2013:0520
Platform(s):CentOS Linux 6
Red Hat Enterprise Linux 6
Product(s):dovecot
Definition Synopsis
  • Red Hat Enterprise Linux 6 and CentOS Linux 6 release section
  • Operation system section
  • The operating system installed on the system is Red Hat Enterprise Linux 6
  • OR The operating system installed on the system is CentOS Linux 6.x
  • AND Packages match section
  • dovecot is earlier than 0:2.0.9-5.el6
  • OR dovecot-devel is earlier than 0:2.0.9-5.el6
  • OR dovecot-mysql is earlier than 0:2.0.9-5.el6
  • OR dovecot-pgsql is earlier than 0:2.0.9-5.el6
  • OR dovecot-pigeonhole is earlier than 0:2.0.9-5.el6
  • Red Hat Enterprise Linux 6 release section
  • The operating system installed on the system is Red Hat Enterprise Linux 6
  • AND dovecot-debuginfo is earlier than 0:2.0.9-5.el6
  • BACK