Vulnerability Bulletins

int(3383)

Vulnerability Bulletins

Directorio transversal en Dovecot
Vulnerability classification
Property	Value
Confidence level	Oficial
Impact	Confidencialidad
Dificulty	Experto
Required attacker level	Acceso remoto sin cuenta a un servicio exotico
System information
Property	Value
Affected manufacturer	GNU/Linux
Affected software	Dovecot < 1.0.rc29
Description
Se ha descubierto una vulnerabilidad en Dovecot en versiones anteriores a 1.0.rc29. La vulnerabilidad reside en un error de directorio transversal en el archivo index/mbox/mbox-storage.c cuando utiliza el plugin zlib. Un atacante remoto podría leer buzones de correo ( archivos mbox) mediante la secuencia de dos puntos (..) en el nombre del buzón.
Solution
Actualización de software: Debian (DSA 1359-1) Debian Linux 4.0 Source http://security.debian.org/pool/updates/main/d/dovecot/dovecot_1.0.rc15-2etch1.dsc http://security.debian.org/pool/updates/main/d/dovecot/dovecot_1.0.rc15.orig.tar.gz http://security.debian.org/pool/updates/main/d/dovecot/dovecot_1.0.rc15-2etch1.diff.gz alpha http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch1_alpha.deb http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch1_alpha.deb http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch1_alpha.deb amd64 http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch1_amd64.deb http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch1_amd64.deb http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch1_amd64.deb arm http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch1_arm.deb http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch1_arm.deb http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch1_arm.deb hppa http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch1_hppa.deb http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch1_hppa.deb http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch1_hppa.deb i386 http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch1_i386.deb http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch1_i386.deb http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch1_i386.deb ia64 http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch1_ia64.deb http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch1_ia64.deb http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch1_ia64.deb mips http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch1_mips.deb http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch1_mips.deb http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch1_mips.deb mipsel http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch1_mipsel.deb http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch1_mipsel.deb http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch1_mipsel.deb s390 http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch1_s390.deb http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch1_s390.deb http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch1_s390.deb sparc http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch1_sparc.deb http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch1_sparc.deb http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch1_sparc.deb Red Hat (RHSA-2008:0297-6) RHEL Desktop Workstation (v. 5 cliente) Red Hat Enterprise Linux (v. 5 servidor) https://rhn.redhat.com/
Standar resources
Property	Value
CVE	CVE-2007-2231
BID
Other resources
Debian Security Advisory (DSA 1359-1) http://lists.debian.org/debian-security-announce/debian-security-announce-2007/msg00121.html Red Hat Security Advisory (RHSA-2008:0297-6) https://rhn.redhat.com/errata/RHSA-2008-0297.html

Version history
Version	Comments	Date
1.0	Aviso emitido	2007-08-29
1.1	Aviso emitido por Red Hat (RHSA-2008:0297-6)	2008-05-26

Vulnerability Bulletins

Directorio transversal en Dovecot

Vulnerability classification

System information

Description

Solution

Standar resources

Other resources

Version history