RHEL 6 : dovecot (RHSA-2013:0520)

This script is Copyright (C) 2013-2014 Tenable Network Security, Inc.


Synopsis :

The remote Red Hat host is missing one or more security updates.

Description :

Updated dovecot packages that fix three security issues and one bug
are now available for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having low
security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.

Dovecot is an IMAP server, written with security primarily in mind,
for Linux and other UNIX-like systems. It also contains a small POP3
server. It supports mail in either of maildir or mbox formats. The SQL
drivers and authentication plug-ins are provided as sub-packages.

Two flaws were found in the way some settings were enforced by the
script-login functionality of Dovecot. A remote, authenticated user
could use these flaws to bypass intended access restrictions or
conduct a directory traversal attack by leveraging login scripts.
(CVE-2011-2166, CVE-2011-2167)

A flaw was found in the way Dovecot performed remote server identity
verification, when it was configured to proxy IMAP and POP3
connections to remote hosts using TLS/SSL protocols. A remote attacker
could use this flaw to conduct man-in-the-middle attacks using an
X.509 certificate issued by a trusted Certificate Authority (for a
different name). (CVE-2011-4318)

This update also fixes the following bug :

* When a new user first accessed their IMAP inbox, Dovecot was, under
some circumstances, unable to change the group ownership of the inbox
directory in the user's Maildir location to match that of the user's
mail spool (/var/mail/$USER). This correctly generated an 'Internal
error occurred' message. However, with a subsequent attempt to access
the inbox, Dovecot saw that the directory already existed and
proceeded with its operation, leaving the directory with incorrectly
set permissions. This update corrects the underlying permissions
setting error. When a new user now accesses their inbox for the first
time, and it is not possible to set group ownership, Dovecot removes
the created directory and generates an error message instead of
keeping the directory with incorrect group ownership. (BZ#697620)

Users of dovecot are advised to upgrade to these updated packages,
which contain backported patches to correct these issues. After
installing the updated packages, the dovecot service will be restarted
automatically.

See also :

https://www.redhat.com/security/data/cve/CVE-2011-2166.html
https://www.redhat.com/security/data/cve/CVE-2011-2167.html
https://www.redhat.com/security/data/cve/CVE-2011-4318.html
http://rhn.redhat.com/errata/RHSA-2013-0520.html

Solution :

Update the affected packages.

Risk factor :

Medium / CVSS Base Score : 6.5
(CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P)

Family: Red Hat Local Security Checks

Nessus Plugin ID: 64767 ()

Bugtraq ID:

CVE ID: CVE-2011-2166
CVE-2011-2167
CVE-2011-4318