Sicherheit: Denial of Service in dovecot
Aktuelle Meldungen Distributionen
Name: Denial of Service in dovecot
ID: FEDORA-2011-7258
Distribution: Fedora
Plattformen: Fedora 14
Datum: Sa, 28. Mai 2011, 08:50
Referenzen: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1929
Applikationen: dovecot


Fedora Update Notification
2011-05-19 21:34:33

Name : dovecot
Product : Fedora 14
Version : 2.0.13
Release : 1.fc14
URL : http://www.dovecot.org/
Summary : Secure imap and pop3 server
Description :
Dovecot is an IMAP server for Linux/UNIX-like systems, written with security
primarily in mind. It also contains a small POP3 server. It supports mail
in either of maildir or mbox formats.

The SQL drivers and authentication plug-ins are in their subpackages.

Update Information:

- dovecot updated to 2.0.13
- mdbox purge: Fixed wrong warning about corrupted extrefs.
- script-login binary wasn't actually dropping privileges to the
user/group/chroot specified by its service settings.
- Fixed potential crashes and other problems when parsing header names
that contained NUL characters.

* Thu May 12 2011 Michal Hlavinka <mhlavink@redhat.com> - 1:2.0.13-1
- dovecot updated to 2.0.13
- mdbox purge: Fixed wrong warning about corrupted extrefs.
- script-login binary wasn't actually dropping privileges to the
user/group/chroot specified by its service settings.
- Fixed potential crashes and other problems when parsing header names
that contained NUL characters.
* Fri Apr 15 2011 Michal Hlavinka <mhlavink@redhat.com> - 1:2.0.12-2
- pigeonhole updated to 0.2.3, which includes:
- managesieve: fixed bug in UTF-8 checking of string values
- sieve command line tools now avoid initializing the mail store unless
- removed header MIME-decoding to fix erroneous address parsing
- fixed segfault bug in extension configuration, triggered when unknown
extension is mentioned in sieve_extensions setting.
* Wed Apr 13 2011 Michal Hlavinka <mhlavink@redhat.com> - 1:2.0.12-1
- dbox: Fixes to handling external attachments
- dsync: More fixes to avoid hanging with remote syncs
- dsync: Many other syncing/correctness fixes
- doveconf: v2.0.10 and v2.0.11 didn't output plugin {} section right
* Mon Mar 28 2011 Michal Hlavinka <mhlavink@redhat.com> - 1:2.0.11-2
- fix regression in config file parsing (#690401)
* Mon Mar 7 2011 Michal Hlavinka <mhlavink@redhat.com> - 1:2.0.11-1
- IMAP: Fixed hangs with COMPRESS extension
- IMAP: Fixed a hang when trying to COPY to a nonexistent mailbox.
- IMAP: Fixed hang/crash with SEARCHRES + pipelining $.
- IMAP: Fixed assert-crash if IDLE+DONE is sent in same TCP packet.
* Thu Jan 13 2011 Michal Hlavinka <mhlavink@redhat.com> - 1:2.0.9-1
- dovecot updated to 2.0.9
- fixed a high system CPU usage / high context switch count performance problem
- lda: Fixed a crash when trying to send "out of quota" reply
* Mon Dec 20 2010 Michal Hlavinka <mhlavink@redhat.com> - 1:2.0.8-3
- add full path and check to restorecon in post
* Tue Dec 7 2010 Michal Hlavinka <mhlavink@redhat.com> - 1:2.0.8-2
- fix s/foobar/dovecot/ typo in post script
* Tue Dec 7 2010 Michal Hlavinka <mhlavink@redhat.com> - 1:2.0.8-1
- dovecot updated to 2.0.8, pigeonhole updated to 0.2.2
- services' default vsz_limits weren't being enforced correctly
- added systemd support
- dbox: Fixes to handling external mail attachments
- imap, pop3: When service { client_count } was larger than 1, the
log messages didn't use the correct prefix
- MySQL: Only the first specified host was ever used
* Mon Nov 29 2010 Michal Hlavinka <mhlavink@redhat.com> - 1:2.0.7-3
- make it work with /var/run on tmpfs (#656577)
* Tue Nov 23 2010 Michal Hlavinka <mhlavink@redhat.com> - 1:2.0.7-2
- fix regression with valid_chroot_dirs being ignored (#654083)
* Tue Nov 9 2010 Michal Hlavinka <mhlavink@redhat.com> - 1:2.0.7-1
- dovecot updated to 2.0.7
- IMAP: Fixed LIST-STATUS when listing subscriptions with subscriptions=no
- IMAP: Fixed SELECT QRESYNC not to crash on mailbox close if a lot of changes
were being sent.
- quota: Don't count virtual mailboxes in quota
- doveadm expunge didn't always actually do the physical expunging
- Fixed some index reading optimizations introduced by v2.0.5.
- LMTP proxying fixes
* Fri Oct 22 2010 Michal Hlavinka <mhlavink@redhat.com> - 1:2.0.6-1
- dovecot updated to 2.0.6
- Pre-login CAPABILITY includes IDLE again. Mainly to make Blackberry
servers happy.
- auth: auth_cache_negative_ttl default was 0 in earlier v2.0.x, but it
was supposed to be 1 hour as in v1.x. Changed it back to 1h.
- doveadm: Added import command for importing mails from other storages.
- Reduced NFS I/O operations for index file accesses
- dbox, Maildir: When copying messages, copy also already cached fields
from dovecot.index.cache
- Maildir: LDA/LMTP assert-crashed sometimes when saving a mail.
- Fixed leaking fds when writing to dovecot.mailbox.log.
- Fixed rare dovecot.index.cache corruption
- IMAP: SEARCH YOUNGER/OLDER wasn't working correctly
* Mon Oct 4 2010 Michal Hlavinka <mhlavink@redhat.com> - 1:2.0.5-1
- dovecot updated to 2.0.5
- acl: Fixed the logic of merging multiple ACL entries
- sdbox: Fixed memory leak when copying messages with hard links.
- zlib: Fixed several crashes, which mainly showed up with mbox.
- quota: Don't crash if user has quota disabled, but plugin loaded.
- acl: Fixed crashing when sometimes listing shared mailboxes via dict proxy.
* Tue Sep 28 2010 Michal Hlavinka <mhlavink@redhat.com> - 1:2.0.4-1
- dovecot updated to 2.0.4
- multi-dbox: If :INDEX=path is specified, keep storage/dovecot.map.index*
files also in the index path rather than in the main storage directory.
- dsync: POP3 UIDLs weren't copied with Maildir
- dict file: Fixed fd leak (showed up easily with LMTP + quota)
* Mon Sep 20 2010 Michal Hlavinka <mhlavink@redhat.com> - 1:2.0.3-1
- dovecot updated to 2.0.3
- dovecot-lda: Removed use of non-standard Envelope-To: header as
a default for -a
- dsync: Fixed handling \Noselect mailboxes
- Fixed an infinite loop introduced by v2.0.2's message parser changes.
- Fixed a crash introduced by v2.0.2's istream-crlf changes.
* Thu Sep 16 2010 Michal Hlavinka <mhlavink@redhat.com> - 1:2.0.2-1
- dovecot updated
- vpopmail support is disabled for now, since it's broken. You can use
it via checkpassword support or its sql/ldap database directly.
- maildir: Fixed "duplicate uidlist entry" errors that happened at
least with LMTP when mail was delivered to multiple recipients
- Deleting ACLs didn't cause entries to be removed from acl_shared_dict
- mail_max_lock_timeout setting wasn't working with all locks

[ 1 ] Bug #706286 - CVE-2011-1929 dovecot: potential crash when parsing
header names that contain NUL characters

This update can be installed with the "yum" update program. Use
su -c 'yum update dovecot' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
package-announce mailing list
Pro-Linux @Facebook
Neue Nachrichten