Dovecot Remote Information Disclosure Vulnerability

Bugtraq ID:	17961
Class:	Input Validation Error
CVE:	CVE-2006-2414
Remote:	Yes
Local:	No
Published:	May 12 2006 12:00AM
Updated:	Nov 28 2006 08:19PM
Credit:	This issue was reported by the vendor.
Vulnerable:	Dovecot Dovecot 1.0.Beta3 Dovecot Dovecot 1.0.Beta2 Dovecot Dovecot 1.0 Beta7 Dovecot Dovecot 1.0 Debian Linux 3.1 sparc Debian Linux 3.1 s/390 Debian Linux 3.1 ppc Debian Linux 3.1 mipsel Debian Linux 3.1 mips Debian Linux 3.1 m68k Debian Linux 3.1 ia-64 Debian Linux 3.1 ia-32 Debian Linux 3.1 hppa Debian Linux 3.1 arm Debian Linux 3.1 amd64 Debian Linux 3.1 alpha Debian Linux 3.1
Not Vulnerable:	Dovecot Dovecot 1.0 Beta8

Dovecot Remote Information Disclosure Vulnerability

Dovecot is prone to an information-disclosure vulnerability that may allow authenticated attackers to gain access to the names of all users with mailboxes on an affected IMAP server.

Dovecot versions 1.0 stable through 1.0 beta8 are vulnerable to this issue.

Dovecot Remote Information Disclosure Vulnerability

Attackers use readily available network utilities to exploit this issue.

Dovecot Remote Information Disclosure Vulnerability

Solution:
The vendor has released version 1.0 beta8 to address this issue. Please see the reference section for more information and vendor advisories.


Dovecot Dovecot 1.0.Beta2

• Dovecot dovecot-1.0.beta8.tar.gz
  http://www.dovecot.org/releases/dovecot-1.0.beta8.tar.gz

Dovecot Dovecot 1.0

• Dovecot dovecot-1.0.beta8.tar.gz
  http://www.dovecot.org/releases/dovecot-1.0.beta8.tar.gz

Dovecot Dovecot 1.0 Beta7

• Dovecot dovecot-1.0.beta8.tar.gz
  http://www.dovecot.org/releases/dovecot-1.0.beta8.tar.gz

Dovecot Dovecot 1.0.Beta3

• Dovecot dovecot-1.0.beta8.tar.gz
  http://www.dovecot.org/releases/dovecot-1.0.beta8.tar.gz

Dovecot Remote Information Disclosure Vulnerability

References:

• [Dovecot-news] Security hole with mboxes (Dovecot)
  
• Vendor Homepage (Dovecot)
  
• Dovecot IMAP: Mailbox names list disclosure with mboxes (Timo Sirainen )