Mac OS X Server Dovecot Memory Aliasing Bug May Cause Mail to Be Delivered to the Wrong User
|
|
SecurityTracker Alert ID: 1024740 |
|
SecurityTracker URL: http://securitytracker.com/id/1024740
|
|
CVE Reference:
CVE-2010-4011
(Links to External Site)
|
Date: Nov 15 2010
|
Impact:
Disclosure of user information
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): 10.6.5 (Build 10H574)
|
Description:
A vulnerability was reported in Mac OS X Server in Dovecot. A remote user may obtain another user's e-mail in certain cases.
On systems configured with Dovecot as a mail server, a memory aliasing bug may cause a valid e-mail user to receive mail destined for other users.
The upstream version of Dovecot is not affected.
|
Impact:
A remote user may receive another user's e-mail in certain cases.
|
Solution:
The vendor has issued a fix (10.6.5 (10H575)), available via the Software Update pane in System Preferences, or Apple's Software Downloads web site at:
http://www.apple.com/support/downloads/
For Mac OS X v10.6.4 - v 10.6.5 (10H574)
The download file is named: MacOSXServerUpd10.6.5.dmg
Its SHA-1 digest is: 0688ed0f2b17e3fdce3147d442dcd4beb5ffc002
For Mac OS X v10.6 - v10.6.3
The download file is named: MacOSXServerUpdCombo10.6.5.dmg
Its SHA-1 digest is: f3d57085b455c4830e7b5e97ea63b0a81722e5f3
The build number after installing this update is 10H575 or later.
Mac OS X Server v10.6.5 (10H575) contains all security fixes
released in Mac OS X Server v10.6.5 (10H574) on November 10, 2010.
The vendor's advisory will be available at:
http://support.apple.com/kb/HT1222
|
Vendor URL: www.apple.com/ (Links to External Site)
|
Cause:
Access control error
|
Underlying OS:
|
|
Message History:
None.
|
Source Message Contents
|
Date: Mon, 15 Nov 2010 15:01:43 -0800
Subject: APPLE-SA-2010-11-15-1 Mac OS X Server v10.6.5 (10H575)
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2010-11-15-1 Mac OS X Server v10.6.5 (10H575)
Mac OS X Server v10.6.5 (10H575) is now available and addresses the
following:
Dovecot
CVE-ID: CVE-2010-4011
Available for: Mac OS X Server v10.6 through v10.6.5 (10H574)
Impact: A user may receive mail intended for other users
Description: A memory aliasing issue in Dovecot's handling of user
names exists in Mac OS X Server v10.6.5 (10H574). On systems
configured with Dovecot as a mail server, a user may receive mail
that was intended for other users. This issue is addressed through
improved memory management. Dovecot is only provided with Mac OS X
Server systems. This issue only affects systems running Mac OS X
Server v10.6.5 (10H574). This issue does not affect the Dovecot open
source project.
Mac OS X Server v10.6.5 (10H575) may be obtained from
the Software Update pane in System Preferences, or Apple's Software
Downloads web site:
http://www.apple.com/support/downloads/
For Mac OS X v10.6.4 - v 10.6.5 (10H574)
The download file is named: MacOSXServerUpd10.6.5.dmg
Its SHA-1 digest is: 0688ed0f2b17e3fdce3147d442dcd4beb5ffc002
For Mac OS X v10.6 - v10.6.3
The download file is named: MacOSXServerUpdCombo10.6.5.dmg
Its SHA-1 digest is: f3d57085b455c4830e7b5e97ea63b0a81722e5f3
The build number after installing this update is 10H575 or later.
Mac OS X Server v10.6.5 (10H575) contains all security fixes
released in Mac OS X Server v10.6.5 (10H574) on November 10, 2010.
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (Darwin)
iQEcBAEBAgAGBQJM4brsAAoJEGnF2JsdZQeelggIAJ8EX8Br0A4AG0DVgndKr2Zp
A4vzU9p4Xv+wWShdSLulPKdrXEbsfsM4SRMwN/UG+gOItRdQ6LD7s283zFiPt26p
0P6AG9sYjgnblRVW5UayhMhYDdL+memFV3bECbPUg8nfhyTa+wh2P2Gu3RVpe1SO
xGCQXbliwP4MIXYsPmPcX4w2x6STGA69aD6BUBx5LsK9HO6WN4DRrQUFn/j9xWOT
SPJy9IvIsirPzBF0dQsie5DKD2j8Cv2CMZkUAvxt3I0iL0svDnNCSF4BndtgKrUD
jxx7h6iPW2lUtgqtmR4lDNcFDK4zRDuDfazQwlNh7uNaQAoUTpd5O8b7Ys5d9SQ=
=5QLj
-----END PGP SIGNATURE-----
|
|
