Your message dated Wed, 07 Oct 2009 07:58:20 +0000
with message-id <e1mvrpg-00014z...@ries.debian.org>
and subject line Bug#546656: fixed in dovecot 1:1.0.15-2.3+lenny1
has caused the Debian Bug report #546656,
regarding CVE-2009-3235: Multiple stack-based buffer overflows in the Sieve
plugin in Dovecot
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
546656: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=546656
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
package: dovecot-common
version: 1:1.0.15-2.3
severity: important
tags: security upstream
The CMU Sieve plugin for Dovecot v1.0/v1.1 is based on the Cyrus Sieve
library. As described in DSA 1881-1¹ there was a vulnerability.
Timo Sirainen has announced² the availability of the bug fixed versions
v1.1.7 for Dovecot v1.1 and v1.0.4 for Dovecot v1.0.
This affects also dovecot-common 1.0.rc15-2etch4 in oldstable and
dovecot-common 1:1.0.15-2.3~bpo40+1 etch-backports.
This security hole does not exits in new Sieve implementation, from
Stephan Bosch, for Dovecots v1.2 series.
Regards,
Pascal
--
1 = http://www.debian.org/security/2009/dsa-1881
2 = http://dovecot.org/list/dovecot-news/2009-September/000135.html
--
Ubuntu is an ancient African word meaning “I can’t install Debian.”
-- unknown
--- End Message ---
--- Begin Message ---
Source: dovecot
Source-Version: 1:1.0.15-2.3+lenny1
We believe that the bug you reported is fixed in the latest version of
dovecot, which is due to be installed in the Debian FTP archive:
dovecot-common_1.0.15-2.3+lenny1_i386.deb
to pool/main/d/dovecot/dovecot-common_1.0.15-2.3+lenny1_i386.deb
dovecot-dev_1.0.15-2.3+lenny1_i386.deb
to pool/main/d/dovecot/dovecot-dev_1.0.15-2.3+lenny1_i386.deb
dovecot-imapd_1.0.15-2.3+lenny1_i386.deb
to pool/main/d/dovecot/dovecot-imapd_1.0.15-2.3+lenny1_i386.deb
dovecot-pop3d_1.0.15-2.3+lenny1_i386.deb
to pool/main/d/dovecot/dovecot-pop3d_1.0.15-2.3+lenny1_i386.deb
dovecot_1.0.15-2.3+lenny1.diff.gz
to pool/main/d/dovecot/dovecot_1.0.15-2.3+lenny1.diff.gz
dovecot_1.0.15-2.3+lenny1.dsc
to pool/main/d/dovecot/dovecot_1.0.15-2.3+lenny1.dsc
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 546...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Giuseppe Iuculano <giuse...@iuculano.it> (supplier of updated dovecot package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Wed, 23 Sep 2009 10:10:46 +0200
Source: dovecot
Binary: dovecot-common dovecot-dev dovecot-imapd dovecot-pop3d
Architecture: source i386
Version: 1:1.0.15-2.3+lenny1
Distribution: stable-security
Urgency: high
Maintainer: Dovecot Maintainers <jaldhar-dove...@debian.org>
Changed-By: Giuseppe Iuculano <giuse...@iuculano.it>
Description:
dovecot-common - secure mail server that supports mbox and maildir mailboxes
dovecot-dev - header files for the dovecot mail server
dovecot-imapd - secure IMAP server that supports mbox and maildir mailboxes
dovecot-pop3d - secure POP3 server that supports mbox and maildir mailboxes
Closes: 546656
Changes:
dovecot (1:1.0.15-2.3+lenny1) stable-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Fix for buffer overflow in SIEVE filtering allowing for privilege
escalation (closes: #546656). Thanks to Don Armstrong.
Checksums-Sha1:
0c37e498143978de596e1c6cf6c0ff1499008ff3 1614 dovecot_1.0.15-2.3+lenny1.dsc
4e1f40e37461f848459df9dde809097fef46c376 1783347 dovecot_1.0.15.orig.tar.gz
b1004fb41e7aaca1727f930411d7daa7a85f845e 216038
dovecot_1.0.15-2.3+lenny1.diff.gz
dec2b232d78676cac8c4912f875ddcc126eadcea 1938596
dovecot-common_1.0.15-2.3+lenny1_i386.deb
7e434870a34216ca520148e2f9e19acb77e0e63b 390674
dovecot-dev_1.0.15-2.3+lenny1_i386.deb
878b4612b8095dcbf1d79b879ecc32935cfe288d 636970
dovecot-imapd_1.0.15-2.3+lenny1_i386.deb
f7b93af63e330307f56a6ea6464dd5500bb33c3e 602896
dovecot-pop3d_1.0.15-2.3+lenny1_i386.deb
Checksums-Sha256:
1b0b468b3b8f94b1dc33ce1eb1ead7cc4f554470768acc9151c724c131224e38 1614
dovecot_1.0.15-2.3+lenny1.dsc
2b4d8720d5f5868d57df294350ee0f5a8d2723e9937dab1eea2084478ace9597 1783347
dovecot_1.0.15.orig.tar.gz
5c2e442f1a0ecf9368c313f67035b6606ab4edb7e06f47d5f11f13ff7e516492 216038
dovecot_1.0.15-2.3+lenny1.diff.gz
6e33a05cb4115ac95e4634b3f54b3847bce1545da86df116af6a2c6a49d6291b 1938596
dovecot-common_1.0.15-2.3+lenny1_i386.deb
22c4bddac48ff451b5858159962decb0465b0b564e78c6aa773ff8ae260c4e4f 390674
dovecot-dev_1.0.15-2.3+lenny1_i386.deb
604a07f19230cf44216f2f61e8602ac204bc19ddc9918116387e9d4329b6b752 636970
dovecot-imapd_1.0.15-2.3+lenny1_i386.deb
0d4396151e997f33ec16d471c57e116a7c2768f7536ee1464571c50bc9a880aa 602896
dovecot-pop3d_1.0.15-2.3+lenny1_i386.deb
Files:
d0b83408d8c8324fdfa03b80cdbed4f6 1614 mail optional
dovecot_1.0.15-2.3+lenny1.dsc
aa39c11c18df6b95b64d4f04d793d77a 1783347 mail optional
dovecot_1.0.15.orig.tar.gz
45614e66070551b80bcbd803113f22d6 216038 mail optional
dovecot_1.0.15-2.3+lenny1.diff.gz
0113ec4318618383c6945ad66ac457ab 1938596 mail optional
dovecot-common_1.0.15-2.3+lenny1_i386.deb
615f9e862c4c2b14db2fbed7f3a0089f 390674 mail optional
dovecot-dev_1.0.15-2.3+lenny1_i386.deb
40f7a7785597f69f39991c35865c1df8 636970 mail optional
dovecot-imapd_1.0.15-2.3+lenny1_i386.deb
93b9ffb25946df4200203a236839d967 602896 mail optional
dovecot-pop3d_1.0.15-2.3+lenny1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAkq5/qcACgkQ62zWxYk/rQeSnQCgg4sCIjPYcFMVSpDhdspKwTFG
npQAoLL0yY002wp+1vseGWCQm8VJ6FUg
=CJO/
-----END PGP SIGNATURE-----
--- End Message ---
