[Secure-testing-team] Bug#557601: v1.2.8 fixes a security problem in v1.2 releases.
Jaldhar H. Vyas
jaldhar at debian.org
Mon Nov 23 07:39:53 UTC 2009
On Mon, 23 Nov 2009, Soeren Sonnenburg wrote:
> Package: dovecot
> Severity: critical
> Tags: security
>
> from http://www.dovecot.org/list/dovecot-news/2009-November/000143.html
>
> This is mainly to fix the 0777 base_dir creation issue, which could be
> considered a security hole, exploitable by local users. An attacker
> could for example replace Dovecot's auth socket and log in as other
> users. Gaining root privileges isn't possible though.
>
> This affects only v1.2 users, v1.1 and older versions were creating the
> directory with 0755 permission.
>
Thanks for the heads up. I am in the process of packaging this version.
Security team:
We were going to take this opportunity to migrate to the 3.0 (quilt)
format. Is this likely to cause problems for you? Would you prefer we
waited until after this upload?
--
Jaldhar H. Vyas <jaldhar at debian.org>
More information about the Secure-testing-team
mailing list