Soeren Sonnenburg
2009-Nov-23 06:24 UTC
[Secure-testing-team] Bug#557601: v1.2.8 fixes a security problem in v1.2 releases.
Package: dovecot Severity: critical Tags: security from http://www.dovecot.org/list/dovecot-news/2009-November/000143.html This is mainly to fix the 0777 base_dir creation issue, which could be considered a security hole, exploitable by local users. An attacker could for example replace Dovecot''s auth socket and log in as other users. Gaining root privileges isn''t possible though. This affects only v1.2 users, v1.1 and older versions were creating the directory with 0755 permission. -- System Information: Debian Release: squeeze/sid APT prefers stable APT policy: (700, ''stable''), (650, ''testing''), (600, ''unstable''), (500, ''oldstable''), (1, ''experimental'') Architecture: amd64 (x86_64) Kernel: Linux 2.6.32-rc8-sonne (SMP w/2 CPU cores; PREEMPT) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash
Jaldhar H. Vyas
2009-Nov-23 07:39 UTC
[Secure-testing-team] Bug#557601: v1.2.8 fixes a security problem in v1.2 releases.
On Mon, 23 Nov 2009, Soeren Sonnenburg wrote:> Package: dovecot > Severity: critical > Tags: security > > from http://www.dovecot.org/list/dovecot-news/2009-November/000143.html > > This is mainly to fix the 0777 base_dir creation issue, which could be > considered a security hole, exploitable by local users. An attacker > could for example replace Dovecot''s auth socket and log in as other > users. Gaining root privileges isn''t possible though. > > This affects only v1.2 users, v1.1 and older versions were creating the > directory with 0755 permission. >Thanks for the heads up. I am in the process of packaging this version. Security team: We were going to take this opportunity to migrate to the 3.0 (quilt) format. Is this likely to cause problems for you? Would you prefer we waited until after this upload? -- Jaldhar H. Vyas <jaldhar at debian.org>
Noah Meyerhans
2009-Nov-23 13:48 UTC
[Secure-testing-team] Bug#557601: v1.2.8 fixes a security problem in v1.2 releases.
On Mon, Nov 23, 2009 at 02:39:53AM -0500, Jaldhar H. Vyas wrote:> Security team: > > We were going to take this opportunity to migrate to the 3.0 (quilt) > format. Is this likely to cause problems for you? Would you prefer we > waited until after this upload?From the stable security team''s point of view, it shouldn''t be an issue since this problem does not exist in any supported versions. noah -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20091123/07059b4c/attachment.pgp>