CVE-2011-4318

Publication date 18 November 2011

Last updated 24 July 2024

Ubuntu priority

Dovecot 2.0.x before 2.0.16, when ssl or starttls is enabled and hostname is used to define the proxy destination, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a valid certificate for a different hostname.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
dovecot	11.10 oneiric	Fixed 1:2.0.13-1ubuntu3.2
	11.04 natty	Not affected
	10.10 maverick	Not affected
	10.04 LTS lucid	Not affected
	8.04 LTS hardy	Not affected

Notes

jdstrand

SSL proxy connections were added in some Dovecot v1.x versions, but but v1.x doesn't support giving hostname as proxy destination, only IP address. (per upstream)

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
dovecot	Upstream: http://hg.dovecot.org/dovecot-2.0/rev/5e9eaf63a6b1 Upstream: http://hg.dovecot.org/dovecot-2.0/rev/de8715e4d793 Upstream: http://hg.dovecot.org/dovecot-2.0/rev/4294e9136cd6

References

Related Ubuntu Security Notices (USN)