U radu programskog paketa Dovecot uočen je sigurnosni nedostatak koji udaljenom napadaču omogućuje izvođenje DoS (eng. Denial of Service) napada.

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2011-7268
2011-05-19 21:34:59
--------------------------------------------------------------------------------

Name        : dovecot
Product     : Fedora 15
Version     : 2.0.13
Release     : 1.fc15
URL         : http://www.dovecot.org/
Summary     : Secure imap and pop3 server
Description :
Dovecot is an IMAP server for Linux/UNIX-like systems, written with security
primarily in mind.  It also contains a small POP3 server.  It supports mail
in either of maildir or mbox formats.

The SQL drivers and authentication plug-ins are in their subpackages.

--------------------------------------------------------------------------------
Update Information:

- dovecot updated to 2.0.13
- mdbox purge: Fixed wrong warning about corrupted extrefs.
- script-login binary wasn't actually dropping privileges to the
  user/group/chroot specified by its service settings.
- Fixed potential crashes and other problems when parsing header names
  that contained NUL characters.
--------------------------------------------------------------------------------
ChangeLog:

* Thu May 12 2011 Michal Hlavinka <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1:2.0.13-1
- dovecot updated to 2.0.13
- mdbox purge: Fixed wrong warning about corrupted extrefs.
- script-login binary wasn't actually dropping privileges to the
  user/group/chroot specified by its service settings.
- Fixed potential crashes and other problems when parsing header names
  that contained NUL characters.
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #706286 - CVE-2011-1929 dovecot: potential crash when parsing
header names that contain NUL characters
        https://bugzilla.redhat.com/show_bug.cgi?id=706286
--------------------------------------------------------------------------------

This update can be installed with the "yum" update program.  Use 
su -c 'yum update dovecot' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
_______________________________________________
package-announce mailing list
Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.
https://admin.fedoraproject.org/mailman/listinfo/package-announce


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2011-7258
2011-05-19 21:34:33
--------------------------------------------------------------------------------

Name        : dovecot
Product     : Fedora 14
Version     : 2.0.13
Release     : 1.fc14
URL         : http://www.dovecot.org/
Summary     : Secure imap and pop3 server
Description :
Dovecot is an IMAP server for Linux/UNIX-like systems, written with security
primarily in mind.  It also contains a small POP3 server.  It supports mail
in either of maildir or mbox formats.

The SQL drivers and authentication plug-ins are in their subpackages.

--------------------------------------------------------------------------------
Update Information:

- dovecot updated to 2.0.13
- mdbox purge: Fixed wrong warning about corrupted extrefs.
- script-login binary wasn't actually dropping privileges to the
  user/group/chroot specified by its service settings.
- Fixed potential crashes and other problems when parsing header names
  that contained NUL characters.
--------------------------------------------------------------------------------
ChangeLog:

* Thu May 12 2011 Michal Hlavinka <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1:2.0.13-1
- dovecot updated to 2.0.13
- mdbox purge: Fixed wrong warning about corrupted extrefs.
- script-login binary wasn't actually dropping privileges to the
  user/group/chroot specified by its service settings.
- Fixed potential crashes and other problems when parsing header names
  that contained NUL characters.
* Fri Apr 15 2011 Michal Hlavinka <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1:2.0.12-2
- pigeonhole updated to 0.2.3, which includes:
- managesieve: fixed bug in UTF-8 checking of string values
- sieve command line tools now avoid initializing the mail store unless
necessary
- removed header MIME-decoding to fix erroneous address parsing
- fixed segfault bug in extension configuration, triggered when unknown
  extension is mentioned in sieve_extensions setting.
* Wed Apr 13 2011 Michal Hlavinka <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1:2.0.12-1
- dbox: Fixes to handling external attachments
- dsync: More fixes to avoid hanging with remote syncs
- dsync: Many other syncing/correctness fixes
- doveconf: v2.0.10 and v2.0.11 didn't output plugin {} section right
* Mon Mar 28 2011 Michal Hlavinka <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1:2.0.11-2
- fix regression in config file parsing (#690401)
* Mon Mar  7 2011 Michal Hlavinka <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1:2.0.11-1
- IMAP: Fixed hangs with COMPRESS extension
- IMAP: Fixed a hang when trying to COPY to a nonexistent mailbox.
- IMAP: Fixed hang/crash with SEARCHRES + pipelining $.
- IMAP: Fixed assert-crash if IDLE+DONE is sent in same TCP packet.
* Thu Jan 13 2011 Michal Hlavinka <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1:2.0.9-1
- dovecot updated to 2.0.9
- fixed a high system CPU usage / high context switch count performance
problem
- lda: Fixed a crash when trying to send "out of quota" reply
* Mon Dec 20 2010 Michal Hlavinka <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1:2.0.8-3
- add full path and check to restorecon in post
* Tue Dec  7 2010 Michal Hlavinka <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1:2.0.8-2
- fix s/foobar/dovecot/ typo in post script
* Tue Dec  7 2010 Michal Hlavinka <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1:2.0.8-1
- dovecot updated to 2.0.8, pigeonhole updated to 0.2.2
- services' default vsz_limits weren't being enforced correctly
- added systemd support
- dbox: Fixes to handling external mail attachments
- imap, pop3: When service { client_count } was larger than 1, the
  log messages didn't use the correct prefix
- MySQL: Only the first specified host was ever used
* Mon Nov 29 2010 Michal Hlavinka <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1:2.0.7-3
- make it work with /var/run on tmpfs (#656577)
* Tue Nov 23 2010 Michal Hlavinka <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1:2.0.7-2
- fix regression with  valid_chroot_dirs being ignored (#654083)
* Tue Nov  9 2010 Michal Hlavinka <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1:2.0.7-1
- dovecot updated to 2.0.7
- IMAP: Fixed LIST-STATUS when listing subscriptions with subscriptions=no
namespaces.
- IMAP: Fixed SELECT QRESYNC not to crash on mailbox close if a lot of changes
were being sent. 
- quota: Don't count virtual mailboxes in quota
- doveadm expunge didn't always actually do the physical expunging
- Fixed some index reading optimizations introduced by v2.0.5.
- LMTP proxying fixes
* Fri Oct 22 2010 Michal Hlavinka <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1:2.0.6-1
- dovecot updated to 2.0.6
- Pre-login CAPABILITY includes IDLE again. Mainly to make Blackberry
  servers happy.
- auth: auth_cache_negative_ttl default was 0 in earlier v2.0.x, but it
  was supposed to be 1 hour as in v1.x. Changed it back to 1h.
- doveadm: Added import command for importing mails from other storages.
- Reduced NFS I/O operations for index file accesses
- dbox, Maildir: When copying messages, copy also already cached fields
  from dovecot.index.cache
- Maildir: LDA/LMTP assert-crashed sometimes when saving a mail.
- Fixed leaking fds when writing to dovecot.mailbox.log.
- Fixed rare dovecot.index.cache corruption
- IMAP: SEARCH YOUNGER/OLDER wasn't working correctly
* Mon Oct  4 2010 Michal Hlavinka <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1:2.0.5-1
- dovecot updated to 2.0.5
- acl: Fixed the logic of merging multiple ACL entries
- sdbox: Fixed memory leak when copying messages with hard links. 
- zlib: Fixed several crashes, which mainly showed up with mbox.
- quota: Don't crash if user has quota disabled, but plugin loaded.
- acl: Fixed crashing when sometimes listing shared mailboxes via dict proxy.
* Tue Sep 28 2010 Michal Hlavinka <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1:2.0.4-1
- dovecot updated to 2.0.4
- multi-dbox: If :INDEX=path is specified, keep storage/dovecot.map.index* 
  files also in the index path rather than in the main storage directory.
- dsync: POP3 UIDLs weren't copied with Maildir
- dict file: Fixed fd leak (showed up easily with LMTP + quota)
* Mon Sep 20 2010 Michal Hlavinka <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1:2.0.3-1
- dovecot updated to 2.0.3
- dovecot-lda: Removed use of non-standard Envelope-To: header as 
  a default for -a
- dsync: Fixed handling Noselect mailboxes
- Fixed an infinite loop introduced by v2.0.2's message parser changes.
- Fixed a crash introduced by v2.0.2's istream-crlf changes.
* Thu Sep 16 2010 Michal Hlavinka <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1:2.0.2-1
- dovecot updated
- vpopmail support is disabled for now, since it's broken. You can use
  it via checkpassword support or its sql/ldap database directly.
- maildir: Fixed "duplicate uidlist entry" errors that happened at
  least with LMTP when mail was delivered to multiple recipients
- Deleting ACLs didn't cause entries to be removed from acl_shared_dict
- mail_max_lock_timeout setting wasn't working with all locks
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #706286 - CVE-2011-1929 dovecot: potential crash when parsing
header names that contain NUL characters
        https://bugzilla.redhat.com/show_bug.cgi?id=706286
--------------------------------------------------------------------------------

This update can be installed with the "yum" update program.  Use 
su -c 'yum update dovecot' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
_______________________________________________
package-announce mailing list
Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.
https://admin.fedoraproject.org/mailman/listinfo/package-announce