Subject: ports/128698: [vuxml] new entry for Dovecot 1.1.4-1.1.5

From: Eygene Ryabinkin <rea-fbsd@...> · Date: Saturday, November 8, 2008 - 10:03 am

>Number:         128698

quoted text>Category:       ports

>Synopsis:       [vuxml] new entry for Dovecot 1.1.4-1.1.5

>Confidential:   no

>Severity:       serious

>Priority:       medium

>Responsible:    freebsd-ports-bugs

>State:          open

>Quarter:

>Keywords:

>Date-Required:

>Class:          sw-bug

>Submitter-Id:   current-users

>Arrival-Date:   Sat Nov 08 14:10:01 UTC 2008

>Closed-Date:

>Last-Modified:

>Originator:     Eygene Ryabinkin

>Release:        FreeBSD 7.1-PRERELEASE amd64

>Organization:

Code Labs

quoted text>Environment:
Not applicable.
>Description:
Citing from http://www.dovecot.org/list/dovecot-news/2008-October/000089.html

-----

The invalid message address parsing bug is pretty important since it

allows a remote user to send broken mail headers and prevent the

recipient from accessing the mailbox afterwards, because the process

will always just crash trying to parse the header. This is assuming that

the IMAP client uses FETCH ENVELOPE command, not all do. Note that it

doesn't affect versions older than v1.1.4.

-----
Currently, FreeBSD's Dovecot from ports is build from the 1.1.3 release

and I doubt that it will be upgraded to something <= 1.1.6, since 1.1.6

is out.  But who knows.
>How-To-Repeat:
Look at

  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4907

and references therein.
>Fix:
Possibly, the new VuXML entry can be added:

--- dovecot-08.11.2008.xml begins here ---
    dovecot -- invalid message address parsing bug
	dovecot

	dovecot-devel

	1.1.41.1.6
Dovecot reports:

	    The invalid message address parsing bug is pretty

	    important since it allows a remote user to send broken

	    mail headers and prevent the recipient from accessing

	    the mailbox afterwards, because the process will always

	    just crash trying to parse the header. This is assuming

	    that the IMAP client uses FETCH ENVELOPE command, not

	    all do. Note that it doesn't affect versions older than

	    v1.1.4.

      CVE-2008-4907

      http://www.dovecot.org/list/dovecot-news/2008-October/000089.html

      http://secunia.com/advisories/32479/

      http://xforce.iss.net/xforce/xfdb/46227/

      http://www.securityfocus.com/bid/31997/
      2008-10-30

      2008-11-08
--- dovecot-08.11.2008.xml ends here ---
As I said, I greatly doubt that official FreeBSD ports will ever have

these versions of Dovecot, but people can update their ports to receive

the new Dovecot versions, so there can be some reasons to add it.
The only PR that contains Dovecot is ports/128469 and it upgrades the

port to the "safe" version 1.1.6.

quoted text>Release-Note:

>Audit-Trail:

>Unformatted:

_______________________________________________

freebsd-security@freebsd.org mailing list

http://lists.freebsd.org/mailman/listinfo/freebsd-security

To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"


linux-kernel:
Greg KH	Re: Dual-Licensing Linux Kernel with GPL V2 and GPL V3
Greg Kroah-Hartman	[PATCH 001/196] Chinese: Add the known_regression URI to the HOWTO
Andy Whitcroft	clam
Ingo Molnar	[patch] paravirt: VDSO page is essential
git:

linux-netdev:
David Miller	Re: [PATCH] pkt_sched: Destroy gen estimators under rtnl_lock().
Gerrit Renker	[PATCH 27/37] dccp: Integration of dynamic feature activation - part 2 (server side)
Lovich, Vitali	RE: [PATCH] Packet socket: mmapped IO: PACKET_TX_RING
David Miller	[GIT]: Networking
openbsd-misc: