[Backports-security-announce] Security Update for dovecot

To: backports-security-announce@lists.backports.org
Subject: [Backports-security-announce] Security Update for dovecot
From: Marco Nenciarini <mnencia@debian.org>
Date: Wed, 02 Dec 2009 20:03:17 +0100
Message-id: <[🔎] 4B16B9F5.7050104@debian.org>
Reply-to: backports-users@lists.backports.org

Marco Nenciarini uploaded new packages for dovecot which fix the
following security problem:

CVE-2009-3897

  Dovecot 1.2.x before 1.2.8 sets 0777 permissions during creation of
  certain directories at installation time, which allows local users to
  access arbitrary user accounts by replacing the auth socket, related
  to the parent directories of the base_dir directory, and possibly the
  base_dir directory itself.

For the lenny-backports distribution the problems have been fixed in
version 1:1.2.8-1~bpo50+1.

Upgrade instructions
--------------------

If you don't use pinning (see [1]) you have to update the package
manually via "apt-get -t lenny-backports install dovecot-common
dovecot-imapd dovecot-pop3d" with the packagelist of your installed
packages affected by this update.

[1] <http://backports.org/dokuwiki/doku.php?id=instructions>

We recommend to pin the backports repository to 200 so that new
versions of installed  backports will be installed automatically.

  Package: *
  Pin: release a=lenny-backports
  Pin-Priority: 200

Reply to:

Next by Date: [Backports-security-announce] Security Update for Shibboleth packages
Next by thread: [Backports-security-announce] Security Update for Shibboleth packages
Index(es):
- Date
- Thread