Security hole in ManageSieve: Virtual users can edit scripts of other virtual users
Bug #307291 reported by
Mr Ed
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
dovecot (Debian) |
Fix Released
|
Unknown
|
|||
dovecot (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Script names aren't checked for "/"-characters, so that virtual users can edit other users scripts by using a script name like "../../
See here for more details and a patch:
description: | updated |
Changed in dovecot (Debian): | |
status: | Unknown → Fix Released |
To post a comment you must log in.
This bug was fixed in the package dovecot - 1:1.1.11-0ubuntu1
---------------
dovecot (1:1.1.11-0ubuntu1) jaunty; urgency=low
[ Ante Karamatic ] dovecot- postfix. postinst: dovecot- postfix. postrm: dovecot- common. init: dovecot- postfix. conf exists and use it patches/ warning- ubuntu- postfix. dpatch postfix. conf in dovecot default
configuration file. patches/ dovecot- postfix. conf.diff: postfix. conf in /etc/dovecot/.
Add new binary pkg dovecot-postfix that integrates postfix and dovecot
automatically: (LP: #164837)
- debian/control:
+ add new binary with short description.
- debian/
+ create initial certificate symlinks to snakeoil.
+ set up postfix with postconf to:
- use Maildir/ as the default mailbox.
- use dovecot as the sasl authentication server.
- use dovecot LDA (deliver).
- use tls for smtp{d} services.
+ restart postfix and dovecot.
- debian/
+ remove all dovecot related configuration from postfix.
+ restart postfix and dovecot.
- debian/
+ check if /etc/dovecot/
as the configuration file if so.
- debian/
+ add warning about dovecot-
- debian/
+ Ubuntu server custom changes to the default dovecot configuration for
better integration with postfix:
- enable imap, pop3, imaps, pop3s and managesieve by default.
- enable dovecot LDA (deliver).
- enable SASL auth socket in postfix private directory.
- debian/rules:
+ copy, patch and install dovecot-
[ Mathias Gug ] paptches/ ssl-cert- snakeoil. dpatch: Change default SSL cert dovecot- common. postinst: Relax grep for SSL_* a bit. dovecot- common. init: Check to see if there is an /etc/inetd.conf. dovecot- common- init: Add the 'status' action (LP: #247096). dovecot- common. ufw.profile {control, rules}: enable PIE hardening. common. README. Debian with information on what has changed
* New upstream release:
* Update dovecot-managesieve to 0.10.5. Fixes:
- check if names of sieve scripts contain '/' (LP: #307291)
* Update dovecot-managesieve patch for 1.1.11 and 0.10.5.
* Update dovecot-sieve plugin to 1.1.6.
* Merge from debian experimental, remaining changes:
- Use Snakeoil SSL certificates by default.
+ debian/control: Depend on ssl-cert
+ debian/
paths to snakeoil.
+ debian/
- Add autopkgtest in debian/tests/*.
- debian/
(LP: #208411)
- Fast TearDown: Update lsb init header to not stop in level 6.
- Add status action to the init script:
+ debian/control: Depend on lsb >= 3.2.12ubuntu3.
+ debian/
- debian/rules:
- Copy config.{guess,sub} after running libtoolize.
- Clean dovecot-managesieve directory.
- Add ufw integration:
- Created debian/
- debian/rules:
+ install profile
- debian/control
+ Suggest ufw
- debian/
- Updated dovecot.
between 1.0 and 1.1.1. Fixes (LP: #257625)
- dovecot-imapd, dovecot-pop3: Replaces dovecot-common (<< 1:1.1). LP: #254721.
- debian/control:
+ Update Vcs-* headers.
* debian/rules:
- Create emtpy stamp.h.in files in dovecot-sieve/ and dovecot-managesi...