[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE Request - Dovecot - 1.2.8
From:       Josh Bressers <bressers () redhat ! com>
Date:       2009-11-23 18:58:11
Message-ID: 750835919.590711259002691938.JavaMail.root () zmail01 ! collab ! prod ! int ! phx2 ! redhat ! com
[Download RAW message or body]

This is CVE-2009-3897 (as noted in a previous mail), this is the second
request for this flaw.

Thanks.

-- 
    JB

----- "Jan Lieskovsky" <jlieskov@redhat.com> wrote:

> Hi Josh, Steve, vendors,
> 
>    Dovecot upstream has released latest 1.2.8 version, fixing
> one security issue. Quoting from news:
> 
> This is mainly to fix the 0777 base_dir creation issue, which could
> be
> considered a security hole, exploitable by local users. An attacker
> could for example replace Dovecot's auth socket and log in as other
> users. Gaining root privileges isn't possible though.
> 
> This affects only v1.2 users, v1.1 and older versions were creating
> the
> directory with 0755 permission.
> 
> References:
> -----------
> http://www.dovecot.org/list/dovecot-news/2009-November/000143.html
> http://www.dovecot.org/index.html
> 
> Could you allocate a CVE id? (in case there isn't one already).
> 
> Thanks && Regards, Jan.
> --
> Jan iankko Lieskovsky / Red Hat Security Response Team
[prev in list] [next in list] [prev in thread] [next in thread]