Fedora 8 : dovecot-1.0.13-6.fc8 (2008-2464)

medium Nessus Plugin ID 31434

Synopsis

The remote Fedora host is missing a security update.

Description

This update upgrades dovecot from version 1.0.10 to 1.0.13. Besides bug fixes, two security issues were fixed upstream in version 1.0.11 and 1.0.13. CVE-2008-1199 If Dovecot was configured with mail_extra_groups = mail, users having shell access to IMAP server could use this flaw to read, modify or delete mails of other users stored in inbox files in /var/mail. /var/mail directory is mail-group writable and user inbox files are by default created by useradd with permission 660, <user>:mail. No mail_extra_groups is set by default, hence default Fedora configuration was not affected by this problem.
If your configuration sets mail_extra_groups, see new options mail_privileged_group and mail_access_groups introduced in Dovecot 1.0.11. (mail_extra_groups is still accepted, but is deprecated now) CVE-2008-1218 On Dovecot versions 1.0.11 and newer, it was possible to gain password-less login via passwords with tab characters, which were not filtered properly. Dovecot versions in Fedora were not affected by this unauthorized login flaw, but only by a related minor memory leak in dovecot-auth worker process. See referenced bugzilla for further details about this flaw.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Solution

Update the affected dovecot package.

See Also

https://bugzilla.redhat.com/show_bug.cgi?id=436927

https://bugzilla.redhat.com/show_bug.cgi?id=436928

http://www.nessus.org/u?72415f05

Plugin Details

Severity: Medium

ID: 31434

File Name: fedora_2008-2464.nasl

Version: 1.17

Type: local

Agent: unix

Published: 3/13/2008

Updated: 1/11/2021

Supported Sensors: Agentless Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.6

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: p-cpe:/a:fedoraproject:fedora:dovecot, cpe:/o:fedoraproject:fedora:8

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 3/13/2008

Reference Information

CVE: CVE-2008-1199, CVE-2008-1218

BID: 28092, 28181

CWE: 16, 255, 59

FEDORA: 2008-2464