drucken bookmarks versenden konfigurieren admin pdf Sicherheit: Denial of Service in dovecot
Name: |
Denial of Service in dovecot |
|
ID: |
FEDORA-2011-7258 |
|
Distribution: |
Fedora |
|
Plattformen: |
Fedora 14 |
|
Datum: |
Sa, 28. Mai 2011, 08:50 |
|
Referenzen: |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1929 |
|
Applikationen: |
dovecot |
|
Originalnachricht |
------------------------------------------------------------------------------- - Fedora Update Notification FEDORA-2011-7258 2011-05-19 21:34:33 ------------------------------------------------------------------------------- -
Name : dovecot Product : Fedora 14 Version : 2.0.13 Release : 1.fc14 URL : http://www.dovecot.org/ Summary : Secure imap and pop3 server Description : Dovecot is an IMAP server for Linux/UNIX-like systems, written with security primarily in mind. It also contains a small POP3 server. It supports mail in either of maildir or mbox formats.
The SQL drivers and authentication plug-ins are in their subpackages.
------------------------------------------------------------------------------- - Update Information:
- dovecot updated to 2.0.13 - mdbox purge: Fixed wrong warning about corrupted extrefs. - script-login binary wasn't actually dropping privileges to the user/group/chroot specified by its service settings. - Fixed potential crashes and other problems when parsing header names that contained NUL characters. ------------------------------------------------------------------------------- - ChangeLog:
* Thu May 12 2011 Michal Hlavinka <mhlavink@redhat.com> - 1:2.0.13-1 - dovecot updated to 2.0.13 - mdbox purge: Fixed wrong warning about corrupted extrefs. - script-login binary wasn't actually dropping privileges to the user/group/chroot specified by its service settings. - Fixed potential crashes and other problems when parsing header names that contained NUL characters. * Fri Apr 15 2011 Michal Hlavinka <mhlavink@redhat.com> - 1:2.0.12-2 - pigeonhole updated to 0.2.3, which includes: - managesieve: fixed bug in UTF-8 checking of string values - sieve command line tools now avoid initializing the mail store unless necessary - removed header MIME-decoding to fix erroneous address parsing - fixed segfault bug in extension configuration, triggered when unknown extension is mentioned in sieve_extensions setting. * Wed Apr 13 2011 Michal Hlavinka <mhlavink@redhat.com> - 1:2.0.12-1 - dbox: Fixes to handling external attachments - dsync: More fixes to avoid hanging with remote syncs - dsync: Many other syncing/correctness fixes - doveconf: v2.0.10 and v2.0.11 didn't output plugin {} section right * Mon Mar 28 2011 Michal Hlavinka <mhlavink@redhat.com> - 1:2.0.11-2 - fix regression in config file parsing (#690401) * Mon Mar 7 2011 Michal Hlavinka <mhlavink@redhat.com> - 1:2.0.11-1 - IMAP: Fixed hangs with COMPRESS extension - IMAP: Fixed a hang when trying to COPY to a nonexistent mailbox. - IMAP: Fixed hang/crash with SEARCHRES + pipelining $. - IMAP: Fixed assert-crash if IDLE+DONE is sent in same TCP packet. * Thu Jan 13 2011 Michal Hlavinka <mhlavink@redhat.com> - 1:2.0.9-1 - dovecot updated to 2.0.9 - fixed a high system CPU usage / high context switch count performance problem - lda: Fixed a crash when trying to send "out of quota" reply * Mon Dec 20 2010 Michal Hlavinka <mhlavink@redhat.com> - 1:2.0.8-3 - add full path and check to restorecon in post * Tue Dec 7 2010 Michal Hlavinka <mhlavink@redhat.com> - 1:2.0.8-2 - fix s/foobar/dovecot/ typo in post script * Tue Dec 7 2010 Michal Hlavinka <mhlavink@redhat.com> - 1:2.0.8-1 - dovecot updated to 2.0.8, pigeonhole updated to 0.2.2 - services' default vsz_limits weren't being enforced correctly - added systemd support - dbox: Fixes to handling external mail attachments - imap, pop3: When service { client_count } was larger than 1, the log messages didn't use the correct prefix - MySQL: Only the first specified host was ever used * Mon Nov 29 2010 Michal Hlavinka <mhlavink@redhat.com> - 1:2.0.7-3 - make it work with /var/run on tmpfs (#656577) * Tue Nov 23 2010 Michal Hlavinka <mhlavink@redhat.com> - 1:2.0.7-2 - fix regression with valid_chroot_dirs being ignored (#654083) * Tue Nov 9 2010 Michal Hlavinka <mhlavink@redhat.com> - 1:2.0.7-1 - dovecot updated to 2.0.7 - IMAP: Fixed LIST-STATUS when listing subscriptions with subscriptions=no namespaces. - IMAP: Fixed SELECT QRESYNC not to crash on mailbox close if a lot of changes were being sent. - quota: Don't count virtual mailboxes in quota - doveadm expunge didn't always actually do the physical expunging - Fixed some index reading optimizations introduced by v2.0.5. - LMTP proxying fixes * Fri Oct 22 2010 Michal Hlavinka <mhlavink@redhat.com> - 1:2.0.6-1 - dovecot updated to 2.0.6 - Pre-login CAPABILITY includes IDLE again. Mainly to make Blackberry servers happy. - auth: auth_cache_negative_ttl default was 0 in earlier v2.0.x, but it was supposed to be 1 hour as in v1.x. Changed it back to 1h. - doveadm: Added import command for importing mails from other storages. - Reduced NFS I/O operations for index file accesses - dbox, Maildir: When copying messages, copy also already cached fields from dovecot.index.cache - Maildir: LDA/LMTP assert-crashed sometimes when saving a mail. - Fixed leaking fds when writing to dovecot.mailbox.log. - Fixed rare dovecot.index.cache corruption - IMAP: SEARCH YOUNGER/OLDER wasn't working correctly * Mon Oct 4 2010 Michal Hlavinka <mhlavink@redhat.com> - 1:2.0.5-1 - dovecot updated to 2.0.5 - acl: Fixed the logic of merging multiple ACL entries - sdbox: Fixed memory leak when copying messages with hard links. - zlib: Fixed several crashes, which mainly showed up with mbox. - quota: Don't crash if user has quota disabled, but plugin loaded. - acl: Fixed crashing when sometimes listing shared mailboxes via dict proxy. * Tue Sep 28 2010 Michal Hlavinka <mhlavink@redhat.com> - 1:2.0.4-1 - dovecot updated to 2.0.4 - multi-dbox: If :INDEX=path is specified, keep storage/dovecot.map.index* files also in the index path rather than in the main storage directory. - dsync: POP3 UIDLs weren't copied with Maildir - dict file: Fixed fd leak (showed up easily with LMTP + quota) * Mon Sep 20 2010 Michal Hlavinka <mhlavink@redhat.com> - 1:2.0.3-1 - dovecot updated to 2.0.3 - dovecot-lda: Removed use of non-standard Envelope-To: header as a default for -a - dsync: Fixed handling \Noselect mailboxes - Fixed an infinite loop introduced by v2.0.2's message parser changes. - Fixed a crash introduced by v2.0.2's istream-crlf changes. * Thu Sep 16 2010 Michal Hlavinka <mhlavink@redhat.com> - 1:2.0.2-1 - dovecot updated - vpopmail support is disabled for now, since it's broken. You can use it via checkpassword support or its sql/ldap database directly. - maildir: Fixed "duplicate uidlist entry" errors that happened at least with LMTP when mail was delivered to multiple recipients - Deleting ACLs didn't cause entries to be removed from acl_shared_dict - mail_max_lock_timeout setting wasn't working with all locks ------------------------------------------------------------------------------- - References:
[ 1 ] Bug #706286 - CVE-2011-1929 dovecot: potential crash when parsing header names that contain NUL characters https://bugzilla.redhat.com/show_bug.cgi?id=706286 ------------------------------------------------------------------------------- -
This update can be installed with the "yum" update program. Use su -c 'yum update dovecot' at the command line. For more information, refer to "Managing Software with yum", available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys ------------------------------------------------------------------------------- - _______________________________________________ package-announce mailing list package-announce@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/package-announce
|
|
|
|