Vulnerability Bulletins |
Directorio transversal en Dovecot |
|
Vulnerability classification |
|
Property | Value |
Confidence level | Oficial |
Impact | Confidencialidad |
Dificulty | Experto |
Required attacker level | Acceso remoto sin cuenta a un servicio exotico |
System information |
|
Property | Value |
Affected manufacturer | GNU/Linux |
Affected software | Dovecot < 1.0.rc29 |
Description |
|
Se ha descubierto una vulnerabilidad en Dovecot en versiones anteriores a 1.0.rc29. La vulnerabilidad reside en un error de directorio transversal en el archivo index/mbox/mbox-storage.c cuando utiliza el plugin zlib. Un atacante remoto podría leer buzones de correo ( archivos mbox) mediante la secuencia de dos puntos (..) en el nombre del buzón. |
|
Solution |
|
Actualización de software: Debian (DSA 1359-1) Debian Linux 4.0 Source http://security.debian.org/pool/updates/main/d/dovecot/dovecot_1.0.rc15-2etch1.dsc http://security.debian.org/pool/updates/main/d/dovecot/dovecot_1.0.rc15.orig.tar.gz http://security.debian.org/pool/updates/main/d/dovecot/dovecot_1.0.rc15-2etch1.diff.gz alpha http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch1_alpha.deb http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch1_alpha.deb http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch1_alpha.deb amd64 http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch1_amd64.deb http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch1_amd64.deb http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch1_amd64.deb arm http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch1_arm.deb http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch1_arm.deb http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch1_arm.deb hppa http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch1_hppa.deb http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch1_hppa.deb http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch1_hppa.deb i386 http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch1_i386.deb http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch1_i386.deb http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch1_i386.deb ia64 http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch1_ia64.deb http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch1_ia64.deb http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch1_ia64.deb mips http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch1_mips.deb http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch1_mips.deb http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch1_mips.deb mipsel http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch1_mipsel.deb http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch1_mipsel.deb http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch1_mipsel.deb s390 http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch1_s390.deb http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch1_s390.deb http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch1_s390.deb sparc http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch1_sparc.deb http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch1_sparc.deb http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch1_sparc.deb Red Hat (RHSA-2008:0297-6) RHEL Desktop Workstation (v. 5 cliente) Red Hat Enterprise Linux (v. 5 servidor) https://rhn.redhat.com/ |
|
Standar resources |
|
Property | Value |
CVE | CVE-2007-2231 |
BID | |
Other resources |
|
Debian Security Advisory (DSA 1359-1) http://lists.debian.org/debian-security-announce/debian-security-announce-2007/msg00121.html Red Hat Security Advisory (RHSA-2008:0297-6) https://rhn.redhat.com/errata/RHSA-2008-0297.html |
Version history |
||
Version | Comments | Date |
1.0 | Aviso emitido | 2007-08-29 |
1.1 | Aviso emitido por Red Hat (RHSA-2008:0297-6) | 2008-05-26 |