Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 286844 (CVE-2009-3235) - <=net-mail/dovecot-1.1.7-r1: Remote code execution in sieve plugin (CVE-2009-3235)
Summary: <=net-mail/dovecot-1.1.7-r1: Remote code execution in sieve plugin (CVE-2009-...
Alias: CVE-2009-3235
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
Whiteboard: C1 [glsa]
Depends on: 285211 CVE-2010-0745
  Show dependency tree
Reported: 2009-09-28 20:35 UTC by Michael Orlitzky
Modified: 2011-10-10 20:25 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Michael Orlitzky gentoo-dev 2009-09-28 20:35:52 UTC
The author of Dovecot recently discovered a number of holes in the libsieve implementation of the Sieve protocol:

The versions of Sieve distributed with the 1.1.x releases of Dovecot on Gentoo are vulnerable. This includes the only stable version.

Suggested fix: address bug #285211.

Alternately, it might be safe to just bump the version of Sieve from within the ebuilds.
Comment 1 Stefan Behte (RETIRED) gentoo-dev Security 2009-09-28 20:55:04 UTC
Yes, our "sieve" wasn't patched.
Comment 2 Patrick Lauer gentoo-dev 2009-10-05 14:11:09 UTC
+  05 Oct 2009; Patrick Lauer <> +dovecot-1.1.19.ebuild:
+  Bump for 1.1 series
Comment 3 Stefan Behte (RETIRED) gentoo-dev Security 2009-11-06 14:53:39 UTC
Arches, please test and mark stable:
Target keywords : "alpha amd64 ppc sparc x86"

patrick, can you remove older ebuilds, when 1.1.19 is stable?
Comment 4 Christian Faulhammer (RETIRED) gentoo-dev 2009-11-07 16:20:31 UTC
x86 stable
Comment 5 Tobias Klausmann (RETIRED) gentoo-dev 2009-11-07 21:29:32 UTC
Stable on alpha.
Comment 6 Markus Meier gentoo-dev 2009-11-09 12:43:52 UTC
amd64 stable
Comment 7 Raúl Porcel (RETIRED) gentoo-dev 2009-11-14 15:17:41 UTC
sparc stable
Comment 8 Joe Jezak (RETIRED) gentoo-dev 2009-12-29 17:40:16 UTC
Marked ppc stable.
Comment 9 Stefan Behte (RETIRED) gentoo-dev Security 2010-04-10 15:16:08 UTC
GLSA request filed.
Comment 10 Stefan Behte (RETIRED) gentoo-dev Security 2010-04-14 21:45:12 UTC
glsa request filed
Comment 11 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-07-14 17:02:15 UTC
waiting for 314533 wrt glsa...
Comment 12 Michael Orlitzky gentoo-dev 2011-03-28 19:54:53 UTC
I think it's safe to close this now?
Comment 13 Stefan Behte (RETIRED) gentoo-dev Security 2011-03-29 19:34:56 UTC
No, it is not. The gentoo security team will close this bug after the GLSA was sent.
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2011-10-10 20:25:05 UTC
This issue was resolved and addressed in
 GLSA 201110-04 at
by GLSA coordinator Stefan Behte (craig).