[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] CVE Request - Dovecot - 1.2.8
From: Josh Bressers <bressers () redhat ! com>
Date: 2009-11-23 18:58:11
Message-ID: 750835919.590711259002691938.JavaMail.root () zmail01 ! collab ! prod ! int ! phx2 ! redhat ! com
[Download RAW message or body]
This is CVE-2009-3897 (as noted in a previous mail), this is the second
request for this flaw.
Thanks.
--
JB
----- "Jan Lieskovsky" <jlieskov@redhat.com> wrote:
> Hi Josh, Steve, vendors,
>
> Dovecot upstream has released latest 1.2.8 version, fixing
> one security issue. Quoting from news:
>
> This is mainly to fix the 0777 base_dir creation issue, which could
> be
> considered a security hole, exploitable by local users. An attacker
> could for example replace Dovecot's auth socket and log in as other
> users. Gaining root privileges isn't possible though.
>
> This affects only v1.2 users, v1.1 and older versions were creating
> the
> directory with 0755 permission.
>
> References:
> -----------
> http://www.dovecot.org/list/dovecot-news/2009-November/000143.html
> http://www.dovecot.org/index.html
>
> Could you allocate a CVE id? (in case there isn't one already).
>
> Thanks && Regards, Jan.
> --
> Jan iankko Lieskovsky / Red Hat Security Response Team
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic