Executive Summary
Summary | |
---|---|
Title | New dovecot packages fix directory traversal |
Informations | |||
---|---|---|---|
Name | DSA-1359 | First vendor Publication | 2007-08-28 |
Vendor | Debian | Last vendor Modification | 2007-08-28 |
Severity (Vendor) | N/A | Revision | 1 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:M/Au:N/C:P/I:N/A:N) | |||
---|---|---|---|
Cvss Base Score | 4.3 | Attack Range | Network |
Cvss Impact Score | 2.9 | Attack Complexity | Medium |
Cvss Expoit Score | 8.6 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
It was discovered that dovecot, a secure mail server that supports mbox and maildir mailboxes, when configured to use non-system-user spools and compressed folders, may allow directory traversal in mailbox names. For the stable distribution (etch), this problem has been fixed in version 1.0.rc15-2etch1. For the old stable distribution (sarge), this problem was not present. For the unstable distribution this problem with be fixed soon. We recommend that you upgrade your dovecot package. |
Original Source
Url : http://www.debian.org/security/2007/dsa-1359 |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:10995 | |||
Oval ID: | oval:org.mitre.oval:def:10995 | ||
Title: | Directory traversal vulnerability in index/mbox/mbox-storage.c in Dovecot before 1.0.rc29, when using the zlib plugin, allows remote attackers to read arbitrary gzipped (.gz) mailboxes (mbox files) via a .. (dot dot) sequence in the mailbox name. | ||
Description: | Directory traversal vulnerability in index/mbox/mbox-storage.c in Dovecot before 1.0.rc29, when using the zlib plugin, allows remote attackers to read arbitrary gzipped (.gz) mailboxes (mbox files) via a .. (dot dot) sequence in the mailbox name. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2007-2231 | Version: | 5 |
Platform(s): | Red Hat Enterprise Linux 5 CentOS Linux 5 Oracle Linux 5 | Product(s): | |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:20207 | |||
Oval ID: | oval:org.mitre.oval:def:20207 | ||
Title: | DSA-1359-1 dovecot - directory traversal | ||
Description: | It was discovered that dovecot, a secure mail server that supports mbox and maildir mailboxes, when configured to use non-system-user spools and compressed folders, may allow directory traversal in mailbox names. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-1359-1 CVE-2007-2231 | Version: | 5 |
Platform(s): | Debian GNU/Linux 4.0 | Product(s): | dovecot |
Definition Synopsis: | |||
CPE : Common Platform Enumeration
OpenVAS Exploits
Date | Description |
---|---|
2009-03-23 | Name : Ubuntu Update for dovecot vulnerability USN-487-1 File : nvt/gb_ubuntu_USN_487_1.nasl |
2009-03-06 | Name : RedHat Update for dovecot RHSA-2008:0297-02 File : nvt/gb_RHSA-2008_0297-02_dovecot.nasl |
2009-02-27 | Name : Fedora Update for dovecot FEDORA-2007-493 File : nvt/gb_fedora_2007_493_dovecot_fc5.nasl |
2008-01-17 | Name : Debian Security Advisory DSA 1359-1 (dovecot) File : nvt/deb_1359_1.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
35489 | Dovecot index/mbox/mbox-storage.c Traversal Arbitrary Gzip File Access |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2012-08-01 | Name : The remote Scientific Linux host is missing a security update. File : sl_20080521_dovecot_on_SL5_x.nasl - Type : ACT_GATHER_INFO |
2008-05-22 | Name : The remote Red Hat host is missing a security update. File : redhat-RHSA-2008-0297.nasl - Type : ACT_GATHER_INFO |
2007-11-10 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-487-1.nasl - Type : ACT_GATHER_INFO |
2007-09-03 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-1359.nasl - Type : ACT_GATHER_INFO |
2007-05-10 | Name : The remote Fedora Core host is missing a security update. File : fedora_2007-493.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 11:26:50 |
|