Ubuntu 10.04 LTS / 10.10 : dovecot vulnerabilities (USN-1059-1)

Ubuntu Security Notice (C) 2011-2013 Canonical, Inc. / NASL script (C) 2011-2013 Tenable Network Security, Inc.


Synopsis :

The remote Ubuntu host is missing one or more security-related patches.

Description :

It was discovered that the ACL plugin in Dovecot would incorrectly
propagate ACLs to new mailboxes. A remote authenticated user could
possibly read new mailboxes that were created with the wrong ACL.
(CVE-2010-3304)

It was discovered that the ACL plugin in Dovecot would incorrectly
merge ACLs in certain circumstances. A remote authenticated user could
possibly bypass intended access restrictions and gain access to
mailboxes. (CVE-2010-3706, CVE-2010-3707)

It was discovered that the ACL plugin in Dovecot would incorrectly
grant the admin permission to owners of certain mailboxes. A remote
authenticated user could possibly bypass intended access restrictions
and gain access to mailboxes. (CVE-2010-3779)

It was discovered that Dovecot incorrecly handled the simultaneous
disconnect of a large number of sessions. A remote authenticated user
could use this flaw to cause Dovecot to crash, resulting in a denial
of service. (CVE-2010-3780).

Solution :

Update the affected packages.

Risk factor :

Medium / CVSS Base Score : 6.4
(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N)
CVSS Temporal Score : 4.7
(CVSS2#E:U/RL:OF/RC:C)
Public Exploit Available : false

Family: Ubuntu Local Security Checks

Nessus Plugin ID: 51900 ()

Bugtraq ID: 41964
43690

CVE ID: CVE-2010-3304
CVE-2010-3706
CVE-2010-3707
CVE-2010-3779
CVE-2010-3780