| Description: | Dovecot is an IMAP server, written with security primarily in mind, forLinux and other UNIX-like systems. It also contains a small POP3 server. Itsupports mail in either of maildir or mbox formats. The SQL drivers andauthentication plug-ins are provided as sub-packages.Two flaws were found in the way some settings were enforced by thescript-login functionality of Dovecot. A remote, authenticated user coulduse these flaws to bypass intended access restrictions or conduct adirectory traversal attack by leveraging login scripts. (CVE-2011-2166,CVE-2011-2167)A flaw was found in the way Dovecot performed remote server identityverification, when it was configured to proxy IMAP and POP3 connections toremote hosts using TLS/SSL protocols. A remote attacker could use this flawto conduct man-in-the-middle attacks using an X.509 certificate issued bya trusted Certificate Authority (for a different name). (CVE-2011-4318)This update also fixes the following bug:* When a new user first accessed their IMAP inbox, Dovecot was, under somecircumstances, unable to change the group ownership of the inbox directoryin the user's Maildir location to match that of the user's mail spool(/var/mail/$USER). This correctly generated an "Internal error occurred"message. However, with a subsequent attempt to access the inbox, Dovecotsaw that the directory already existed and proceeded with its operation,leaving the directory with incorrectly set permissions. This updatecorrects the underlying permissions setting error. When a new user nowaccesses their inbox for the first time, and it is not possible to setgroup ownership, Dovecot removes the created directory and generates anerror message instead of keeping the directory with incorrect groupownership. (BZ#697620)Users of dovecot are advised to upgrade to these updated packages, whichcontain backported patches to correct these issues. After installing theupdated packages, the dovecot service will be restarted automatically. |