Your message dated Sat, 12 Apr 2008 07:52:42 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#470685: fixed in dovecot 1.0.rc15-2etch4
has caused the Debian Bug report #470685,
regarding dovecot-pop3d: security holes (login without password, mail extra
groups)
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
470685: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=470685
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: dovecot-pop3d
Version: 1.0.rc15-2etch3
Severity: critical
Tags: security
Justification: causes serious data loss
There are two security issues:
http://dovecot.org/list/dovecot-news/2008-March/000064.html
http://dovecot.org/list/dovecot-news/2008-March/000060.html
Dated from March 2008, and my last version from Debian stable has been
built on Mon, 07 Jan 2008. Please make a updated version available.
-- System Information:
Debian Release: 4.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-5-amd64
Locale: LANG=de_AT.UTF-8, LC_CTYPE=de_AT.UTF-8 (charmap=UTF-8)
Versions of packages dovecot-pop3d depends on:
ii dovecot-common 1.0.rc15-2etch3 secure mail server that supports m
ii libc6 2.3.6.ds1-13etch5 GNU C Library: Shared libraries
ii libssl0.9.8 0.9.8c-4etch1 SSL shared libraries
dovecot-pop3d recommends no packages.
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: dovecot
Source-Version: 1.0.rc15-2etch4
We believe that the bug you reported is fixed in the latest version of
dovecot, which is due to be installed in the Debian FTP archive:
dovecot-common_1.0.rc15-2etch4_amd64.deb
to pool/main/d/dovecot/dovecot-common_1.0.rc15-2etch4_amd64.deb
dovecot-imapd_1.0.rc15-2etch4_amd64.deb
to pool/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch4_amd64.deb
dovecot-pop3d_1.0.rc15-2etch4_amd64.deb
to pool/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch4_amd64.deb
dovecot_1.0.rc15-2etch4.diff.gz
to pool/main/d/dovecot/dovecot_1.0.rc15-2etch4.diff.gz
dovecot_1.0.rc15-2etch4.dsc
to pool/main/d/dovecot/dovecot_1.0.rc15-2etch4.dsc
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Fabio Tranchitella <[EMAIL PROTECTED]> (supplier of updated dovecot package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Thu, 13 Mar 2008 12:22:32 +0100
Source: dovecot
Binary: dovecot-common dovecot-pop3d dovecot-imapd
Architecture: source amd64
Version: 1.0.rc15-2etch4
Distribution: stable-security
Urgency: high
Maintainer: Dovecot Maintainers <[EMAIL PROTECTED]>
Changed-By: Fabio Tranchitella <[EMAIL PROTECTED]>
Description:
dovecot-common - secure mail server that supports mbox and maildir mailboxes
dovecot-imapd - secure IMAP server that supports mbox and maildir mailboxes
dovecot-pop3d - secure POP3 server that supports mbox and maildir mailboxes
Closes: 470685
Changes:
dovecot (1.0.rc15-2etch4) stable-security; urgency=high
.
* Security issue: some passdbs allowed users to log in without a valid
password (http://dovecot.org/list/dovecot-news/2008-March/000064.html)
Applied upstream patch for the 1.0.x branch, downloaded from:
http://hg.dovecot.org/dovecot-1.0/raw-rev/da2a9372e26e
(Closes: #470685)
* Security usse: mail_extra_groups setting is often used insecurely
(http://dovecot.org/list/dovecot-news/2008-March/000060.html).
Applied upstream patch for the 1.0.x branch, downloaded from:
http://dovecot.org/patches/1.0/dovecot-1.0.10.mail_priv_groups.diff
Files:
8146ccf246ed64e1ac8c0127489ec798 1300 mail optional dovecot_1.0.rc15-2etch4.dsc
21959fc45cf0f8932fa9eb890791ff39 102991 mail optional
dovecot_1.0.rc15-2etch4.diff.gz
1c2e1ffeb6bf745ed88cde01c62d264a 1222430 mail optional
dovecot-common_1.0.rc15-2etch4_amd64.deb
c17bac715f188f55ae20e5a3c95109b1 569588 mail optional
dovecot-imapd_1.0.rc15-2etch4_amd64.deb
4f64ed0cc16510e9c3d709342b3c57ca 536634 mail optional
dovecot-pop3d_1.0.rc15-2etch4_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iQEVAwUBR9mMPL97/wQC1SS+AQIwhQgAp+6V/7U8gFADUyF647zgmz6buko+Ohqt
m/zmX01fIi9zLX8WUZJ3yp1izyIvLKoqbHDZywzAzArp1Q+OkNhvWgOEXcq9dLsX
37mGoh9EZ+OjsufFh+tjhAM+tEuESmoz8GIhnzxtnNXZ3hIM0CBYDyhl2nt1kZXo
PgZmxhg7Dk6ukLaFZOWCF9r2QYegdreW1gPVWDqNEYFcSAFO1lJIiyMPrLqVjdjV
r3KRvxH7v/SCAttPnTHQ85umIpA4Sc6OsJroovYYcEcHAu267eyFD39d5CyYttqv
2mgkgBEjUjLUx35V8P/OZDMVln64w0F3sxLjze9Yx4Gx6qETmpFbWg==
=M6Zu
-----END PGP SIGNATURE-----
--- End Message ---
