U radu programskog paketa Dovecot uočena su dva sigurnosna nedostatka koja napadačima omogućuju izvođenje DoS i MITM (eng. man-in-the-middle) napada.

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2011-16272
2011-11-23 00:22:29
--------------------------------------------------------------------------------

Name : dovecot
Product : Fedora 16
Version : 2.0.16
Release : 1.fc16
URL : http://www.dovecot.org/
Summary : Secure imap and pop3 server
Description :
Dovecot is an IMAP server for Linux/UNIX-like systems, written with security
primarily in mind. It also contains a small POP3 server. It supports mail
in either of maildir or mbox formats.

The SQL drivers and authentication plug-ins are in their subpackages.

--------------------------------------------------------------------------------
Update Information:

* Proxying: If using ssl=yes or starttls=yes with a hostname (not IP) as proxy destination, require that the certificate matches the given hostname.

* VSZ limits weren't being enforced for any processes. On server with large mailboxes you may now see errors about it if the limits aren't high enough. To fix them, either increase individual service { vsz_limit } values or simply increase the default_vsz_limit setting.

* LMTP: Changed default client_limit to 1. This should improve LMTP throughput with default settings.

* dsync: Quota is no longer enforced (i.e. dsync can't fail because user is over quota).
- do not use obsolete settings in default configuration
--------------------------------------------------------------------------------
ChangeLog:

* Mon Nov 21 2011 Michal Hlavinka <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1:2.0.16-1
- dovecot updated to 2.0.16
* Mon Oct 24 2011 Michal Hlavinka <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1:2.0.15-2
- do not use obsolete settings in default configuration (#743444)
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #754981 - dovecot: MITM due absent certificate's CN validation against requested remote server hostname [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=754981
[ 2 ] Bug #753534 - Obsolete setting 'imaps', 'pop3s' protocol
https://bugzilla.redhat.com/show_bug.cgi?id=753534
--------------------------------------------------------------------------------

This update can be installed with the "yum" update program. Use
su -c 'yum update dovecot' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
_______________________________________________
package-announce mailing list
Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.
https://admin.fedoraproject.org/mailman/listinfo/package-announce

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2011-16234
2011-11-23 00:20:58
--------------------------------------------------------------------------------

Name : dovecot
Product : Fedora 15
Version : 2.0.16
Release : 1.fc15
URL : http://www.dovecot.org/
Summary : Secure imap and pop3 server
Description :
Dovecot is an IMAP server for Linux/UNIX-like systems, written with security
primarily in mind. It also contains a small POP3 server. It supports mail
in either of maildir or mbox formats.

The SQL drivers and authentication plug-ins are in their subpackages.

--------------------------------------------------------------------------------
Update Information:

* Proxying: If using ssl=yes or starttls=yes with a hostname (not IP) as proxy destination, require that the certificate matches the given hostname.

* VSZ limits weren't being enforced for any processes. On server with large mailboxes you may now see errors about it if the limits aren't high enough. To fix them, either increase individual service { vsz_limit } values or simply increase the default_vsz_limit setting.

* LMTP: Changed default client_limit to 1. This should improve LMTP throughput with default settings.

* dsync: Quota is no longer enforced (i.e. dsync can't fail because user is over quota).
- do not use obsolete settings in default configuration
--------------------------------------------------------------------------------
ChangeLog:

* Mon Nov 21 2011 Michal Hlavinka <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1:2.0.16-1
- dovecot updated to 2.0.16
* Mon Sep 19 2011 Michal Hlavinka <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1:2.0.15-1
- dovecot updated to 2.0.15
- v2.0.14: Index reading could have eaten a lot of memory in some
situations
- mbox: Fixed crash during mail delivery when mailbox didn't yet have
GUID assigned to it.
- zlib+mbox: Fetching last message from compressed mailboxes crashed.
* Mon Aug 29 2011 Michal Hlavinka <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1:2.0.14-1
- dovecot updated to 2.0.14
- userdb extra fields can now return name+=value to append to an
existing name
- script-login attempted an unnecessary config lookup, which usually
failed with "Permission denied".
- lmtp: Fixed parsing quoted strings with spaces as local-part for
MAIL FROM and RCPT TO.
- imap: FETCH BODY[HEADER.FIELDS (..)] may have crashed or not
returned all data sometimes.
- ldap: Fixed random assert-crashing with with sasl_bind=yes.
- Fixes to handling mail chroots
- Fixed renaming mailboxes under different parent with FS layout when
using separate ALT, INDEX or CONTROL paths.
- zlib: Fixed reading concatenated .gz files.
* Thu May 12 2011 Michal Hlavinka <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1:2.0.13-1
- dovecot updated to 2.0.13
- mdbox purge: Fixed wrong warning about corrupted extrefs.
- script-login binary wasn't actually dropping privileges to the
user/group/chroot specified by its service settings.
- Fixed potential crashes and other problems when parsing header names
that contained NUL characters.
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #754981 - dovecot: MITM due absent certificate's CN validation against requested remote server hostname [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=754981
[ 2 ] Bug #753534 - Obsolete setting 'imaps', 'pop3s' protocol
https://bugzilla.redhat.com/show_bug.cgi?id=753534
--------------------------------------------------------------------------------

This update can be installed with the "yum" update program. Use
su -c 'yum update dovecot' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
_______________________________________________
package-announce mailing list
Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.
https://admin.fedoraproject.org/mailman/listinfo/package-announce