Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2008-4577
Vulnerability from cvelistv5
Published
2008-10-15 20:00
Modified
2024-08-07 10:24
Severity ?
EPSS score ?
Summary
The ACL plugin in Dovecot before 1.1.4 treats negative access rights as if they are positive access rights, which allows attackers to bypass intended access restrictions.
References
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-07T10:24:20.877Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "32164", tags: [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred", ], url: "http://secunia.com/advisories/32164", }, { name: "32471", tags: [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred", ], url: "http://secunia.com/advisories/32471", }, { name: "33149", tags: [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred", ], url: "http://secunia.com/advisories/33149", }, { name: "ADV-2008-2745", tags: [ "vdb-entry", "x_refsource_VUPEN", "x_transferred", ], url: "http://www.vupen.com/english/advisories/2008/2745", }, { name: "FEDORA-2008-9202", tags: [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred", ], url: "https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00816.html", }, { name: "oval:org.mitre.oval:def:10376", tags: [ "vdb-entry", "signature", "x_refsource_OVAL", "x_transferred", ], url: "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10376", }, { name: "31587", tags: [ "vdb-entry", "x_refsource_BID", "x_transferred", ], url: "http://www.securityfocus.com/bid/31587", }, { name: "FEDORA-2008-9232", tags: [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred", ], url: "https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00844.html", }, { name: "MDVSA-2008:232", tags: [ "vendor-advisory", "x_refsource_MANDRIVA", "x_transferred", ], url: "http://www.mandriva.com/security/advisories?name=MDVSA-2008:232", }, { name: "USN-838-1", tags: [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred", ], url: "http://www.ubuntu.com/usn/USN-838-1", }, { name: "SUSE-SR:2009:004", tags: [ "vendor-advisory", "x_refsource_SUSE", "x_transferred", ], url: "http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html", }, { name: "GLSA-200812-16", tags: [ "vendor-advisory", "x_refsource_GENTOO", "x_transferred", ], url: "http://security.gentoo.org/glsa/glsa-200812-16.xml", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://bugs.gentoo.org/show_bug.cgi?id=240409", }, { name: "RHSA-2009:0205", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "http://www.redhat.com/support/errata/RHSA-2009-0205.html", }, { name: "33624", tags: [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred", ], url: "http://secunia.com/advisories/33624", }, { name: "[Dovecot-news] 20081005 v1.1.4 released", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "http://www.dovecot.org/list/dovecot-news/2008-October/000085.html", }, { name: "36904", tags: [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred", ], url: "http://secunia.com/advisories/36904", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2008-10-05T00:00:00", descriptions: [ { lang: "en", value: "The ACL plugin in Dovecot before 1.1.4 treats negative access rights as if they are positive access rights, which allows attackers to bypass intended access restrictions.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2017-09-28T12:57:01", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { name: "32164", tags: [ "third-party-advisory", "x_refsource_SECUNIA", ], url: "http://secunia.com/advisories/32164", }, { name: "32471", tags: [ "third-party-advisory", "x_refsource_SECUNIA", ], url: "http://secunia.com/advisories/32471", }, { name: "33149", tags: [ "third-party-advisory", "x_refsource_SECUNIA", ], url: "http://secunia.com/advisories/33149", }, { name: "ADV-2008-2745", tags: [ "vdb-entry", "x_refsource_VUPEN", ], url: "http://www.vupen.com/english/advisories/2008/2745", }, { name: "FEDORA-2008-9202", tags: [ "vendor-advisory", "x_refsource_FEDORA", ], url: "https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00816.html", }, { name: "oval:org.mitre.oval:def:10376", tags: [ "vdb-entry", "signature", "x_refsource_OVAL", ], url: "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10376", }, { name: "31587", tags: [ "vdb-entry", "x_refsource_BID", ], url: "http://www.securityfocus.com/bid/31587", }, { name: "FEDORA-2008-9232", tags: [ "vendor-advisory", "x_refsource_FEDORA", ], url: "https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00844.html", }, { name: "MDVSA-2008:232", tags: [ "vendor-advisory", "x_refsource_MANDRIVA", ], url: "http://www.mandriva.com/security/advisories?name=MDVSA-2008:232", }, { name: "USN-838-1", tags: [ "vendor-advisory", "x_refsource_UBUNTU", ], url: "http://www.ubuntu.com/usn/USN-838-1", }, { name: "SUSE-SR:2009:004", tags: [ "vendor-advisory", "x_refsource_SUSE", ], url: "http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html", }, { name: "GLSA-200812-16", tags: [ "vendor-advisory", "x_refsource_GENTOO", ], url: "http://security.gentoo.org/glsa/glsa-200812-16.xml", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://bugs.gentoo.org/show_bug.cgi?id=240409", }, { name: "RHSA-2009:0205", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "http://www.redhat.com/support/errata/RHSA-2009-0205.html", }, { name: "33624", tags: [ "third-party-advisory", "x_refsource_SECUNIA", ], url: "http://secunia.com/advisories/33624", }, { name: "[Dovecot-news] 20081005 v1.1.4 released", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "http://www.dovecot.org/list/dovecot-news/2008-October/000085.html", }, { name: "36904", tags: [ "third-party-advisory", "x_refsource_SECUNIA", ], url: "http://secunia.com/advisories/36904", }, ], }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2008-4577", datePublished: "2008-10-15T20:00:00", dateReserved: "2008-10-15T00:00:00", dateUpdated: "2024-08-07T10:24:20.877Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", "vulnerability-lookup:meta": { nvd: "{\"cve\":{\"id\":\"CVE-2008-4577\",\"sourceIdentifier\":\"secalert@redhat.com\",\"published\":\"2008-10-15T20:08:02.670\",\"lastModified\":\"2025-04-09T00:30:58.490\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The ACL plugin in Dovecot before 1.1.4 treats negative access rights as if they are positive access rights, which allows attackers to bypass intended access restrictions.\"},{\"lang\":\"es\",\"value\":\"El plugin ACL en Dovecot anterior a 1.1.4 amenaza los derechos del acceso negativo como si fueran derechos de acceso positivos, lo que permite a atacantes evitar las restricciones de acceso previstas.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:P/A:N\",\"baseScore\":6.4,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":10.0,\"impactScore\":4.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-863\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:dovecot:dovecot:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.1.4\",\"matchCriteriaId\":\"B084417D-FA5E-45DE-AA03-3932D9292B30\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:8:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"72E4DB7F-07C3-46BB-AAA2-05CD0312C57F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:9:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"743CBBB1-C140-4FEF-B40E-FAE4511B1140\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:opensuse:opensuse:10.3-11.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F7018930-D354-4B31-870E-D0E3CE19C8B5\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:canonical:ubuntu_linux:8.04:*:*:*:-:*:*:*\",\"matchCriteriaId\":\"7EBFE35C-E243-43D1-883D-4398D71763CC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:canonical:ubuntu_linux:8.10:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"4747CC68-FAF4-482F-929A-9DA6C24CB663\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:canonical:ubuntu_linux:9.04:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A5D026D0-EF78-438D-BEDD-FC8571F3ACEB\"}]}]}],\"references\":[{\"url\":\"http://bugs.gentoo.org/show_bug.cgi?id=240409\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Issue Tracking\"]},{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Mailing List\"]},{\"url\":\"http://secunia.com/advisories/32164\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Broken Link\",\"Vendor Advisory\"]},{\"url\":\"http://secunia.com/advisories/32471\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Broken Link\"]},{\"url\":\"http://secunia.com/advisories/33149\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Broken Link\"]},{\"url\":\"http://secunia.com/advisories/33624\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Broken Link\"]},{\"url\":\"http://secunia.com/advisories/36904\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Broken Link\"]},{\"url\":\"http://security.gentoo.org/glsa/glsa-200812-16.xml\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://www.dovecot.org/list/dovecot-news/2008-October/000085.html\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Mailing List\",\"Release Notes\"]},{\"url\":\"http://www.mandriva.com/security/advisories?name=MDVSA-2008:232\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Broken Link\"]},{\"url\":\"http://www.redhat.com/support/errata/RHSA-2009-0205.html\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Broken Link\"]},{\"url\":\"http://www.securityfocus.com/bid/31587\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Broken Link\",\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://www.ubuntu.com/usn/USN-838-1\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://www.vupen.com/english/advisories/2008/2745\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Permissions Required\"]},{\"url\":\"https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10376\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Broken Link\"]},{\"url\":\"https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00816.html\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Mailing List\"]},{\"url\":\"https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00844.html\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Mailing List\"]},{\"url\":\"http://bugs.gentoo.org/show_bug.cgi?id=240409\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Issue Tracking\"]},{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\"]},{\"url\":\"http://secunia.com/advisories/32164\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Broken Link\",\"Vendor Advisory\"]},{\"url\":\"http://secunia.com/advisories/32471\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Broken Link\"]},{\"url\":\"http://secunia.com/advisories/33149\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Broken Link\"]},{\"url\":\"http://secunia.com/advisories/33624\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Broken Link\"]},{\"url\":\"http://secunia.com/advisories/36904\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Broken Link\"]},{\"url\":\"http://security.gentoo.org/glsa/glsa-200812-16.xml\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://www.dovecot.org/list/dovecot-news/2008-October/000085.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Release Notes\"]},{\"url\":\"http://www.mandriva.com/security/advisories?name=MDVSA-2008:232\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Broken Link\"]},{\"url\":\"http://www.redhat.com/support/errata/RHSA-2009-0205.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Broken Link\"]},{\"url\":\"http://www.securityfocus.com/bid/31587\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Broken Link\",\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://www.ubuntu.com/usn/USN-838-1\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://www.vupen.com/english/advisories/2008/2745\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Permissions Required\"]},{\"url\":\"https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10376\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Broken Link\"]},{\"url\":\"https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00816.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\"]},{\"url\":\"https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00844.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\"]}]}}", }, }
rhsa-2009_0205
Vulnerability from csaf_redhat
Published
2009-01-20 15:45
Modified
2024-11-22 02:17
Summary
Red Hat Security Advisory: dovecot security and bug fix update
Notes
Topic
An updated dovecot package that corrects two security flaws and various bugs
is now available for Red Hat Enterprise Linux 5.
This update has been rated as having low security impact by the Red Hat
Security Response Team.
Details
Dovecot is an IMAP server for Linux and UNIX-like systems, primarily
written with security in mind.
A flaw was found in Dovecot's ACL plug-in. The ACL plug-in treated negative
access rights as positive rights, which could allow an attacker to bypass
intended access restrictions. (CVE-2008-4577)
A password disclosure flaw was found with Dovecot's configuration file. If
a system had the "ssl_key_password" option defined, any local user could
view the SSL key password. (CVE-2008-4870)
Note: This flaw did not allow the attacker to acquire the contents of the
SSL key. The password has no value without the key file which arbitrary
users should not have read access to.
To better protect even this value, however, the dovecot.conf file now
supports the "!include_try" directive. The ssl_key_password option should
be moved from dovecot.conf to a new file owned by, and only readable and
writable by, root (ie 0600). This file should be referenced from
dovecot.conf by setting the "!include_try [/path/to/password/file]" option.
Additionally, this update addresses the following bugs:
* the dovecot init script -- /etc/rc.d/init.d/dovecot -- did not check if
the dovecot binary or configuration files existed. It also used the wrong
pid file for checking the dovecot service's status. This update includes a
new init script that corrects these errors.
* the %files section of the dovecot spec file did not include "%dir
%{ssldir}/private". As a consequence, the /etc/pki/private/ directory was
not owned by dovecot. (Note: files inside /etc/pki/private/ were and are
owned by dovecot.) With this update, the missing line has been added to the
spec file, and the noted directory is now owned by dovecot.
* in some previously released versions of dovecot, the authentication
process accepted (and passed along un-escaped) passwords containing
characters that had special meaning to dovecot's internal protocols. This
updated release prevents such passwords from being passed back, instead
returning the error, "Attempted login with password having illegal chars".
Note: dovecot versions previously shipped with Red Hat Enterprise Linux 5
did not allow this behavior. This update addresses the issue above but said
issue was only present in versions of dovecot not previously included with
Red Hat Enterprise Linux 5.
Users of dovecot are advised to upgrade to this updated package, which
addresses these vulnerabilities and resolves these issues.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Low", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "An updated dovecot package that corrects two security flaws and various bugs\nis now available for Red Hat Enterprise Linux 5.\n\nThis update has been rated as having low security impact by the Red Hat\nSecurity Response Team.", title: "Topic", }, { category: "general", text: "Dovecot is an IMAP server for Linux and UNIX-like systems, primarily\nwritten with security in mind.\n\nA flaw was found in Dovecot's ACL plug-in. The ACL plug-in treated negative\naccess rights as positive rights, which could allow an attacker to bypass\nintended access restrictions. (CVE-2008-4577)\n\nA password disclosure flaw was found with Dovecot's configuration file. If\na system had the \"ssl_key_password\" option defined, any local user could\nview the SSL key password. (CVE-2008-4870)\n\nNote: This flaw did not allow the attacker to acquire the contents of the\nSSL key. The password has no value without the key file which arbitrary\nusers should not have read access to.\n\nTo better protect even this value, however, the dovecot.conf file now\nsupports the \"!include_try\" directive. The ssl_key_password option should\nbe moved from dovecot.conf to a new file owned by, and only readable and\nwritable by, root (ie 0600). This file should be referenced from\ndovecot.conf by setting the \"!include_try [/path/to/password/file]\" option.\n\nAdditionally, this update addresses the following bugs:\n\n* the dovecot init script -- /etc/rc.d/init.d/dovecot -- did not check if\nthe dovecot binary or configuration files existed. It also used the wrong\npid file for checking the dovecot service's status. This update includes a\nnew init script that corrects these errors.\n\n* the %files section of the dovecot spec file did not include \"%dir\n%{ssldir}/private\". As a consequence, the /etc/pki/private/ directory was\nnot owned by dovecot. (Note: files inside /etc/pki/private/ were and are\nowned by dovecot.) With this update, the missing line has been added to the\nspec file, and the noted directory is now owned by dovecot.\n\n* in some previously released versions of dovecot, the authentication\nprocess accepted (and passed along un-escaped) passwords containing\ncharacters that had special meaning to dovecot's internal protocols. This\nupdated release prevents such passwords from being passed back, instead\nreturning the error, \"Attempted login with password having illegal chars\".\n\nNote: dovecot versions previously shipped with Red Hat Enterprise Linux 5\ndid not allow this behavior. This update addresses the issue above but said\nissue was only present in versions of dovecot not previously included with\nRed Hat Enterprise Linux 5.\n\nUsers of dovecot are advised to upgrade to this updated package, which\naddresses these vulnerabilities and resolves these issues.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2009:0205", url: "https://access.redhat.com/errata/RHSA-2009:0205", }, { category: "external", summary: "http://www.redhat.com/security/updates/classification/#low", url: "http://www.redhat.com/security/updates/classification/#low", }, { category: "external", summary: "238016", url: "https://bugzilla.redhat.com/show_bug.cgi?id=238016", }, { category: "external", summary: "436287", url: "https://bugzilla.redhat.com/show_bug.cgi?id=436287", }, { category: "external", summary: "439369", url: "https://bugzilla.redhat.com/show_bug.cgi?id=439369", }, { category: "external", summary: "448089", url: "https://bugzilla.redhat.com/show_bug.cgi?id=448089", }, { category: "external", summary: "467436", url: "https://bugzilla.redhat.com/show_bug.cgi?id=467436", }, { category: "external", summary: "469659", url: "https://bugzilla.redhat.com/show_bug.cgi?id=469659", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2009/rhsa-2009_0205.json", }, ], title: "Red Hat Security Advisory: dovecot security and bug fix update", tracking: { current_release_date: "2024-11-22T02:17:23+00:00", generator: { date: "2024-11-22T02:17:23+00:00", engine: { name: "Red Hat SDEngine", version: "4.2.1", }, }, id: "RHSA-2009:0205", initial_release_date: "2009-01-20T15:45:00+00:00", revision_history: [ { date: "2009-01-20T15:45:00+00:00", number: "1", summary: "Initial version", }, { date: "2009-01-20T11:06:11+00:00", number: "2", summary: "Last updated version", }, { date: "2024-11-22T02:17:23+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product: { name: "Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation", product_identification_helper: { cpe: "cpe:/o:redhat:enterprise_linux:5::client_workstation", }, }, }, { category: "product_name", name: "Red Hat Enterprise Linux (v. 5 server)", product: { name: "Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server", product_identification_helper: { cpe: "cpe:/o:redhat:enterprise_linux:5::server", }, }, }, ], category: "product_family", name: "Red Hat Enterprise Linux", }, { branches: [ { category: "product_version", name: "dovecot-0:1.0.7-7.el5.src", product: { name: "dovecot-0:1.0.7-7.el5.src", product_id: "dovecot-0:1.0.7-7.el5.src", product_identification_helper: { purl: "pkg:rpm/redhat/dovecot@1.0.7-7.el5?arch=src", }, }, }, ], category: "architecture", name: "src", }, { branches: [ { category: "product_version", name: "dovecot-0:1.0.7-7.el5.x86_64", product: { name: "dovecot-0:1.0.7-7.el5.x86_64", product_id: "dovecot-0:1.0.7-7.el5.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/dovecot@1.0.7-7.el5?arch=x86_64", }, }, }, { category: "product_version", name: "dovecot-debuginfo-0:1.0.7-7.el5.x86_64", product: { name: "dovecot-debuginfo-0:1.0.7-7.el5.x86_64", product_id: "dovecot-debuginfo-0:1.0.7-7.el5.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/dovecot-debuginfo@1.0.7-7.el5?arch=x86_64", }, }, }, ], category: "architecture", name: "x86_64", }, { branches: [ { category: "product_version", name: "dovecot-0:1.0.7-7.el5.i386", product: { name: "dovecot-0:1.0.7-7.el5.i386", product_id: "dovecot-0:1.0.7-7.el5.i386", product_identification_helper: { purl: "pkg:rpm/redhat/dovecot@1.0.7-7.el5?arch=i386", }, }, }, { category: "product_version", name: "dovecot-debuginfo-0:1.0.7-7.el5.i386", product: { name: "dovecot-debuginfo-0:1.0.7-7.el5.i386", product_id: "dovecot-debuginfo-0:1.0.7-7.el5.i386", product_identification_helper: { purl: "pkg:rpm/redhat/dovecot-debuginfo@1.0.7-7.el5?arch=i386", }, }, }, ], category: "architecture", name: "i386", }, { branches: [ { category: "product_version", name: "dovecot-0:1.0.7-7.el5.ia64", product: { name: "dovecot-0:1.0.7-7.el5.ia64", product_id: "dovecot-0:1.0.7-7.el5.ia64", product_identification_helper: { purl: "pkg:rpm/redhat/dovecot@1.0.7-7.el5?arch=ia64", }, }, }, { category: "product_version", name: "dovecot-debuginfo-0:1.0.7-7.el5.ia64", product: { name: "dovecot-debuginfo-0:1.0.7-7.el5.ia64", product_id: "dovecot-debuginfo-0:1.0.7-7.el5.ia64", product_identification_helper: { purl: "pkg:rpm/redhat/dovecot-debuginfo@1.0.7-7.el5?arch=ia64", }, }, }, ], category: "architecture", name: "ia64", }, { branches: [ { category: "product_version", name: "dovecot-0:1.0.7-7.el5.ppc", product: { name: "dovecot-0:1.0.7-7.el5.ppc", product_id: "dovecot-0:1.0.7-7.el5.ppc", product_identification_helper: { purl: "pkg:rpm/redhat/dovecot@1.0.7-7.el5?arch=ppc", }, }, }, { category: "product_version", name: "dovecot-debuginfo-0:1.0.7-7.el5.ppc", product: { name: "dovecot-debuginfo-0:1.0.7-7.el5.ppc", product_id: "dovecot-debuginfo-0:1.0.7-7.el5.ppc", product_identification_helper: { purl: "pkg:rpm/redhat/dovecot-debuginfo@1.0.7-7.el5?arch=ppc", }, }, }, ], category: "architecture", name: "ppc", }, { branches: [ { category: "product_version", name: "dovecot-0:1.0.7-7.el5.s390x", product: { name: "dovecot-0:1.0.7-7.el5.s390x", product_id: "dovecot-0:1.0.7-7.el5.s390x", product_identification_helper: { purl: "pkg:rpm/redhat/dovecot@1.0.7-7.el5?arch=s390x", }, }, }, { category: "product_version", name: "dovecot-debuginfo-0:1.0.7-7.el5.s390x", product: { name: "dovecot-debuginfo-0:1.0.7-7.el5.s390x", product_id: "dovecot-debuginfo-0:1.0.7-7.el5.s390x", product_identification_helper: { purl: "pkg:rpm/redhat/dovecot-debuginfo@1.0.7-7.el5?arch=s390x", }, }, }, ], category: "architecture", name: "s390x", }, ], category: "vendor", name: "Red Hat", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "dovecot-0:1.0.7-7.el5.i386 as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation:dovecot-0:1.0.7-7.el5.i386", }, product_reference: "dovecot-0:1.0.7-7.el5.i386", relates_to_product_reference: "5Client-Workstation", }, { category: "default_component_of", full_product_name: { name: "dovecot-0:1.0.7-7.el5.ia64 as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation:dovecot-0:1.0.7-7.el5.ia64", }, product_reference: "dovecot-0:1.0.7-7.el5.ia64", relates_to_product_reference: "5Client-Workstation", }, { category: "default_component_of", full_product_name: { name: "dovecot-0:1.0.7-7.el5.ppc as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation:dovecot-0:1.0.7-7.el5.ppc", }, product_reference: "dovecot-0:1.0.7-7.el5.ppc", relates_to_product_reference: "5Client-Workstation", }, { category: "default_component_of", full_product_name: { name: "dovecot-0:1.0.7-7.el5.s390x as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation:dovecot-0:1.0.7-7.el5.s390x", }, product_reference: "dovecot-0:1.0.7-7.el5.s390x", relates_to_product_reference: "5Client-Workstation", }, { category: "default_component_of", full_product_name: { name: "dovecot-0:1.0.7-7.el5.src as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation:dovecot-0:1.0.7-7.el5.src", }, product_reference: "dovecot-0:1.0.7-7.el5.src", relates_to_product_reference: "5Client-Workstation", }, { category: "default_component_of", full_product_name: { name: "dovecot-0:1.0.7-7.el5.x86_64 as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation:dovecot-0:1.0.7-7.el5.x86_64", }, product_reference: "dovecot-0:1.0.7-7.el5.x86_64", relates_to_product_reference: "5Client-Workstation", }, { category: "default_component_of", full_product_name: { name: "dovecot-debuginfo-0:1.0.7-7.el5.i386 as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.i386", }, product_reference: "dovecot-debuginfo-0:1.0.7-7.el5.i386", relates_to_product_reference: "5Client-Workstation", }, { category: "default_component_of", full_product_name: { name: "dovecot-debuginfo-0:1.0.7-7.el5.ia64 as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.ia64", }, product_reference: "dovecot-debuginfo-0:1.0.7-7.el5.ia64", relates_to_product_reference: "5Client-Workstation", }, { category: "default_component_of", full_product_name: { name: "dovecot-debuginfo-0:1.0.7-7.el5.ppc as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.ppc", }, product_reference: "dovecot-debuginfo-0:1.0.7-7.el5.ppc", relates_to_product_reference: "5Client-Workstation", }, { category: "default_component_of", full_product_name: { name: "dovecot-debuginfo-0:1.0.7-7.el5.s390x as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.s390x", }, product_reference: "dovecot-debuginfo-0:1.0.7-7.el5.s390x", relates_to_product_reference: "5Client-Workstation", }, { category: "default_component_of", full_product_name: { name: "dovecot-debuginfo-0:1.0.7-7.el5.x86_64 as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.x86_64", }, product_reference: "dovecot-debuginfo-0:1.0.7-7.el5.x86_64", relates_to_product_reference: "5Client-Workstation", }, { category: "default_component_of", full_product_name: { name: "dovecot-0:1.0.7-7.el5.i386 as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server:dovecot-0:1.0.7-7.el5.i386", }, product_reference: "dovecot-0:1.0.7-7.el5.i386", relates_to_product_reference: "5Server", }, { category: "default_component_of", full_product_name: { name: "dovecot-0:1.0.7-7.el5.ia64 as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server:dovecot-0:1.0.7-7.el5.ia64", }, product_reference: "dovecot-0:1.0.7-7.el5.ia64", relates_to_product_reference: "5Server", }, { category: "default_component_of", full_product_name: { name: "dovecot-0:1.0.7-7.el5.ppc as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server:dovecot-0:1.0.7-7.el5.ppc", }, product_reference: "dovecot-0:1.0.7-7.el5.ppc", relates_to_product_reference: "5Server", }, { category: "default_component_of", full_product_name: { name: "dovecot-0:1.0.7-7.el5.s390x as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server:dovecot-0:1.0.7-7.el5.s390x", }, product_reference: "dovecot-0:1.0.7-7.el5.s390x", relates_to_product_reference: "5Server", }, { category: "default_component_of", full_product_name: { name: "dovecot-0:1.0.7-7.el5.src as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server:dovecot-0:1.0.7-7.el5.src", }, product_reference: "dovecot-0:1.0.7-7.el5.src", relates_to_product_reference: "5Server", }, { category: "default_component_of", full_product_name: { name: "dovecot-0:1.0.7-7.el5.x86_64 as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server:dovecot-0:1.0.7-7.el5.x86_64", }, product_reference: "dovecot-0:1.0.7-7.el5.x86_64", relates_to_product_reference: "5Server", }, { category: "default_component_of", full_product_name: { name: "dovecot-debuginfo-0:1.0.7-7.el5.i386 as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server:dovecot-debuginfo-0:1.0.7-7.el5.i386", }, product_reference: "dovecot-debuginfo-0:1.0.7-7.el5.i386", relates_to_product_reference: "5Server", }, { category: "default_component_of", full_product_name: { name: "dovecot-debuginfo-0:1.0.7-7.el5.ia64 as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server:dovecot-debuginfo-0:1.0.7-7.el5.ia64", }, product_reference: "dovecot-debuginfo-0:1.0.7-7.el5.ia64", relates_to_product_reference: "5Server", }, { category: "default_component_of", full_product_name: { name: "dovecot-debuginfo-0:1.0.7-7.el5.ppc as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server:dovecot-debuginfo-0:1.0.7-7.el5.ppc", }, product_reference: "dovecot-debuginfo-0:1.0.7-7.el5.ppc", relates_to_product_reference: "5Server", }, { category: "default_component_of", full_product_name: { name: "dovecot-debuginfo-0:1.0.7-7.el5.s390x as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server:dovecot-debuginfo-0:1.0.7-7.el5.s390x", }, product_reference: "dovecot-debuginfo-0:1.0.7-7.el5.s390x", relates_to_product_reference: "5Server", }, { category: "default_component_of", full_product_name: { name: "dovecot-debuginfo-0:1.0.7-7.el5.x86_64 as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server:dovecot-debuginfo-0:1.0.7-7.el5.x86_64", }, product_reference: "dovecot-debuginfo-0:1.0.7-7.el5.x86_64", relates_to_product_reference: "5Server", }, ], }, vulnerabilities: [ { cve: "CVE-2008-4577", discovery_date: "2008-10-07T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "467436", }, ], notes: [ { category: "description", text: "The ACL plugin in Dovecot before 1.1.4 treats negative access rights as if they are positive access rights, which allows attackers to bypass intended access restrictions.", title: "Vulnerability description", }, { category: "summary", text: "dovecot: incorrect handling of negative rights in the ACL plugin", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "5Client-Workstation:dovecot-0:1.0.7-7.el5.i386", "5Client-Workstation:dovecot-0:1.0.7-7.el5.ia64", "5Client-Workstation:dovecot-0:1.0.7-7.el5.ppc", "5Client-Workstation:dovecot-0:1.0.7-7.el5.s390x", "5Client-Workstation:dovecot-0:1.0.7-7.el5.src", "5Client-Workstation:dovecot-0:1.0.7-7.el5.x86_64", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.i386", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.ia64", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.ppc", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.s390x", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.x86_64", "5Server:dovecot-0:1.0.7-7.el5.i386", "5Server:dovecot-0:1.0.7-7.el5.ia64", "5Server:dovecot-0:1.0.7-7.el5.ppc", "5Server:dovecot-0:1.0.7-7.el5.s390x", "5Server:dovecot-0:1.0.7-7.el5.src", "5Server:dovecot-0:1.0.7-7.el5.x86_64", "5Server:dovecot-debuginfo-0:1.0.7-7.el5.i386", "5Server:dovecot-debuginfo-0:1.0.7-7.el5.ia64", "5Server:dovecot-debuginfo-0:1.0.7-7.el5.ppc", "5Server:dovecot-debuginfo-0:1.0.7-7.el5.s390x", "5Server:dovecot-debuginfo-0:1.0.7-7.el5.x86_64", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2008-4577", }, { category: "external", summary: "RHBZ#467436", url: "https://bugzilla.redhat.com/show_bug.cgi?id=467436", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2008-4577", url: "https://www.cve.org/CVERecord?id=CVE-2008-4577", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2008-4577", url: "https://nvd.nist.gov/vuln/detail/CVE-2008-4577", }, ], release_date: "2008-10-05T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2009-01-20T15:45:00+00:00", details: "Before applying this update, make sure that all previously-released\nerrata relevant to your system have been applied.\n\nThis update is available via Red Hat Network. Details on how to use\nthe Red Hat Network to apply this update are available at\nhttp://kbase.redhat.com/faq/FAQ_58_10188", product_ids: [ "5Client-Workstation:dovecot-0:1.0.7-7.el5.i386", "5Client-Workstation:dovecot-0:1.0.7-7.el5.ia64", "5Client-Workstation:dovecot-0:1.0.7-7.el5.ppc", "5Client-Workstation:dovecot-0:1.0.7-7.el5.s390x", "5Client-Workstation:dovecot-0:1.0.7-7.el5.src", "5Client-Workstation:dovecot-0:1.0.7-7.el5.x86_64", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.i386", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.ia64", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.ppc", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.s390x", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.x86_64", "5Server:dovecot-0:1.0.7-7.el5.i386", "5Server:dovecot-0:1.0.7-7.el5.ia64", "5Server:dovecot-0:1.0.7-7.el5.ppc", "5Server:dovecot-0:1.0.7-7.el5.s390x", "5Server:dovecot-0:1.0.7-7.el5.src", "5Server:dovecot-0:1.0.7-7.el5.x86_64", "5Server:dovecot-debuginfo-0:1.0.7-7.el5.i386", "5Server:dovecot-debuginfo-0:1.0.7-7.el5.ia64", "5Server:dovecot-debuginfo-0:1.0.7-7.el5.ppc", "5Server:dovecot-debuginfo-0:1.0.7-7.el5.s390x", "5Server:dovecot-debuginfo-0:1.0.7-7.el5.x86_64", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2009:0205", }, ], scores: [ { cvss_v2: { accessComplexity: "HIGH", accessVector: "NETWORK", authentication: "SINGLE", availabilityImpact: "NONE", baseScore: 3.6, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:H/Au:S/C:P/I:P/A:N", version: "2.0", }, products: [ "5Client-Workstation:dovecot-0:1.0.7-7.el5.i386", "5Client-Workstation:dovecot-0:1.0.7-7.el5.ia64", "5Client-Workstation:dovecot-0:1.0.7-7.el5.ppc", "5Client-Workstation:dovecot-0:1.0.7-7.el5.s390x", "5Client-Workstation:dovecot-0:1.0.7-7.el5.src", "5Client-Workstation:dovecot-0:1.0.7-7.el5.x86_64", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.i386", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.ia64", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.ppc", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.s390x", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.x86_64", "5Server:dovecot-0:1.0.7-7.el5.i386", "5Server:dovecot-0:1.0.7-7.el5.ia64", "5Server:dovecot-0:1.0.7-7.el5.ppc", "5Server:dovecot-0:1.0.7-7.el5.s390x", "5Server:dovecot-0:1.0.7-7.el5.src", "5Server:dovecot-0:1.0.7-7.el5.x86_64", "5Server:dovecot-debuginfo-0:1.0.7-7.el5.i386", "5Server:dovecot-debuginfo-0:1.0.7-7.el5.ia64", "5Server:dovecot-debuginfo-0:1.0.7-7.el5.ppc", "5Server:dovecot-debuginfo-0:1.0.7-7.el5.s390x", "5Server:dovecot-debuginfo-0:1.0.7-7.el5.x86_64", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "dovecot: incorrect handling of negative rights in the ACL plugin", }, { cve: "CVE-2008-4870", discovery_date: "2008-03-06T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "469659", }, ], notes: [ { category: "description", text: "dovecot 1.0.7 in Red Hat Enterprise Linux (RHEL) 5, and possibly Fedora, uses world-readable permissions for dovecot.conf, which allows local users to obtain the ssl_key_password parameter value.", title: "Vulnerability description", }, { category: "summary", text: "dovecot: ssl_key_password disclosure due to an insecure dovecot.conf permissions", title: "Vulnerability summary", }, ], product_status: { fixed: [ "5Client-Workstation:dovecot-0:1.0.7-7.el5.i386", "5Client-Workstation:dovecot-0:1.0.7-7.el5.ia64", "5Client-Workstation:dovecot-0:1.0.7-7.el5.ppc", "5Client-Workstation:dovecot-0:1.0.7-7.el5.s390x", "5Client-Workstation:dovecot-0:1.0.7-7.el5.src", "5Client-Workstation:dovecot-0:1.0.7-7.el5.x86_64", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.i386", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.ia64", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.ppc", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.s390x", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.x86_64", "5Server:dovecot-0:1.0.7-7.el5.i386", "5Server:dovecot-0:1.0.7-7.el5.ia64", "5Server:dovecot-0:1.0.7-7.el5.ppc", "5Server:dovecot-0:1.0.7-7.el5.s390x", "5Server:dovecot-0:1.0.7-7.el5.src", "5Server:dovecot-0:1.0.7-7.el5.x86_64", "5Server:dovecot-debuginfo-0:1.0.7-7.el5.i386", "5Server:dovecot-debuginfo-0:1.0.7-7.el5.ia64", "5Server:dovecot-debuginfo-0:1.0.7-7.el5.ppc", "5Server:dovecot-debuginfo-0:1.0.7-7.el5.s390x", "5Server:dovecot-debuginfo-0:1.0.7-7.el5.x86_64", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2008-4870", }, { category: "external", summary: "RHBZ#469659", url: "https://bugzilla.redhat.com/show_bug.cgi?id=469659", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2008-4870", url: "https://www.cve.org/CVERecord?id=CVE-2008-4870", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2008-4870", url: "https://nvd.nist.gov/vuln/detail/CVE-2008-4870", }, ], release_date: "2008-03-06T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2009-01-20T15:45:00+00:00", details: "Before applying this update, make sure that all previously-released\nerrata relevant to your system have been applied.\n\nThis update is available via Red Hat Network. Details on how to use\nthe Red Hat Network to apply this update are available at\nhttp://kbase.redhat.com/faq/FAQ_58_10188", product_ids: [ "5Client-Workstation:dovecot-0:1.0.7-7.el5.i386", "5Client-Workstation:dovecot-0:1.0.7-7.el5.ia64", "5Client-Workstation:dovecot-0:1.0.7-7.el5.ppc", "5Client-Workstation:dovecot-0:1.0.7-7.el5.s390x", "5Client-Workstation:dovecot-0:1.0.7-7.el5.src", "5Client-Workstation:dovecot-0:1.0.7-7.el5.x86_64", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.i386", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.ia64", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.ppc", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.s390x", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.x86_64", "5Server:dovecot-0:1.0.7-7.el5.i386", "5Server:dovecot-0:1.0.7-7.el5.ia64", "5Server:dovecot-0:1.0.7-7.el5.ppc", "5Server:dovecot-0:1.0.7-7.el5.s390x", "5Server:dovecot-0:1.0.7-7.el5.src", "5Server:dovecot-0:1.0.7-7.el5.x86_64", "5Server:dovecot-debuginfo-0:1.0.7-7.el5.i386", "5Server:dovecot-debuginfo-0:1.0.7-7.el5.ia64", "5Server:dovecot-debuginfo-0:1.0.7-7.el5.ppc", "5Server:dovecot-debuginfo-0:1.0.7-7.el5.s390x", "5Server:dovecot-debuginfo-0:1.0.7-7.el5.x86_64", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2009:0205", }, ], threats: [ { category: "impact", details: "Low", }, ], title: "dovecot: ssl_key_password disclosure due to an insecure dovecot.conf permissions", }, ], }
RHSA-2009:0205
Vulnerability from csaf_redhat
Published
2009-01-20 15:45
Modified
2024-11-22 02:17
Summary
Red Hat Security Advisory: dovecot security and bug fix update
Notes
Topic
An updated dovecot package that corrects two security flaws and various bugs
is now available for Red Hat Enterprise Linux 5.
This update has been rated as having low security impact by the Red Hat
Security Response Team.
Details
Dovecot is an IMAP server for Linux and UNIX-like systems, primarily
written with security in mind.
A flaw was found in Dovecot's ACL plug-in. The ACL plug-in treated negative
access rights as positive rights, which could allow an attacker to bypass
intended access restrictions. (CVE-2008-4577)
A password disclosure flaw was found with Dovecot's configuration file. If
a system had the "ssl_key_password" option defined, any local user could
view the SSL key password. (CVE-2008-4870)
Note: This flaw did not allow the attacker to acquire the contents of the
SSL key. The password has no value without the key file which arbitrary
users should not have read access to.
To better protect even this value, however, the dovecot.conf file now
supports the "!include_try" directive. The ssl_key_password option should
be moved from dovecot.conf to a new file owned by, and only readable and
writable by, root (ie 0600). This file should be referenced from
dovecot.conf by setting the "!include_try [/path/to/password/file]" option.
Additionally, this update addresses the following bugs:
* the dovecot init script -- /etc/rc.d/init.d/dovecot -- did not check if
the dovecot binary or configuration files existed. It also used the wrong
pid file for checking the dovecot service's status. This update includes a
new init script that corrects these errors.
* the %files section of the dovecot spec file did not include "%dir
%{ssldir}/private". As a consequence, the /etc/pki/private/ directory was
not owned by dovecot. (Note: files inside /etc/pki/private/ were and are
owned by dovecot.) With this update, the missing line has been added to the
spec file, and the noted directory is now owned by dovecot.
* in some previously released versions of dovecot, the authentication
process accepted (and passed along un-escaped) passwords containing
characters that had special meaning to dovecot's internal protocols. This
updated release prevents such passwords from being passed back, instead
returning the error, "Attempted login with password having illegal chars".
Note: dovecot versions previously shipped with Red Hat Enterprise Linux 5
did not allow this behavior. This update addresses the issue above but said
issue was only present in versions of dovecot not previously included with
Red Hat Enterprise Linux 5.
Users of dovecot are advised to upgrade to this updated package, which
addresses these vulnerabilities and resolves these issues.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Low", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "An updated dovecot package that corrects two security flaws and various bugs\nis now available for Red Hat Enterprise Linux 5.\n\nThis update has been rated as having low security impact by the Red Hat\nSecurity Response Team.", title: "Topic", }, { category: "general", text: "Dovecot is an IMAP server for Linux and UNIX-like systems, primarily\nwritten with security in mind.\n\nA flaw was found in Dovecot's ACL plug-in. The ACL plug-in treated negative\naccess rights as positive rights, which could allow an attacker to bypass\nintended access restrictions. (CVE-2008-4577)\n\nA password disclosure flaw was found with Dovecot's configuration file. If\na system had the \"ssl_key_password\" option defined, any local user could\nview the SSL key password. (CVE-2008-4870)\n\nNote: This flaw did not allow the attacker to acquire the contents of the\nSSL key. The password has no value without the key file which arbitrary\nusers should not have read access to.\n\nTo better protect even this value, however, the dovecot.conf file now\nsupports the \"!include_try\" directive. The ssl_key_password option should\nbe moved from dovecot.conf to a new file owned by, and only readable and\nwritable by, root (ie 0600). This file should be referenced from\ndovecot.conf by setting the \"!include_try [/path/to/password/file]\" option.\n\nAdditionally, this update addresses the following bugs:\n\n* the dovecot init script -- /etc/rc.d/init.d/dovecot -- did not check if\nthe dovecot binary or configuration files existed. It also used the wrong\npid file for checking the dovecot service's status. This update includes a\nnew init script that corrects these errors.\n\n* the %files section of the dovecot spec file did not include \"%dir\n%{ssldir}/private\". As a consequence, the /etc/pki/private/ directory was\nnot owned by dovecot. (Note: files inside /etc/pki/private/ were and are\nowned by dovecot.) With this update, the missing line has been added to the\nspec file, and the noted directory is now owned by dovecot.\n\n* in some previously released versions of dovecot, the authentication\nprocess accepted (and passed along un-escaped) passwords containing\ncharacters that had special meaning to dovecot's internal protocols. This\nupdated release prevents such passwords from being passed back, instead\nreturning the error, \"Attempted login with password having illegal chars\".\n\nNote: dovecot versions previously shipped with Red Hat Enterprise Linux 5\ndid not allow this behavior. This update addresses the issue above but said\nissue was only present in versions of dovecot not previously included with\nRed Hat Enterprise Linux 5.\n\nUsers of dovecot are advised to upgrade to this updated package, which\naddresses these vulnerabilities and resolves these issues.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2009:0205", url: "https://access.redhat.com/errata/RHSA-2009:0205", }, { category: "external", summary: "http://www.redhat.com/security/updates/classification/#low", url: "http://www.redhat.com/security/updates/classification/#low", }, { category: "external", summary: "238016", url: "https://bugzilla.redhat.com/show_bug.cgi?id=238016", }, { category: "external", summary: "436287", url: "https://bugzilla.redhat.com/show_bug.cgi?id=436287", }, { category: "external", summary: "439369", url: "https://bugzilla.redhat.com/show_bug.cgi?id=439369", }, { category: "external", summary: "448089", url: "https://bugzilla.redhat.com/show_bug.cgi?id=448089", }, { category: "external", summary: "467436", url: "https://bugzilla.redhat.com/show_bug.cgi?id=467436", }, { category: "external", summary: "469659", url: "https://bugzilla.redhat.com/show_bug.cgi?id=469659", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2009/rhsa-2009_0205.json", }, ], title: "Red Hat Security Advisory: dovecot security and bug fix update", tracking: { current_release_date: "2024-11-22T02:17:23+00:00", generator: { date: "2024-11-22T02:17:23+00:00", engine: { name: "Red Hat SDEngine", version: "4.2.1", }, }, id: "RHSA-2009:0205", initial_release_date: "2009-01-20T15:45:00+00:00", revision_history: [ { date: "2009-01-20T15:45:00+00:00", number: "1", summary: "Initial version", }, { date: "2009-01-20T11:06:11+00:00", number: "2", summary: "Last updated version", }, { date: "2024-11-22T02:17:23+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product: { name: "Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation", product_identification_helper: { cpe: "cpe:/o:redhat:enterprise_linux:5::client_workstation", }, }, }, { category: "product_name", name: "Red Hat Enterprise Linux (v. 5 server)", product: { name: "Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server", product_identification_helper: { cpe: "cpe:/o:redhat:enterprise_linux:5::server", }, }, }, ], category: "product_family", name: "Red Hat Enterprise Linux", }, { branches: [ { category: "product_version", name: "dovecot-0:1.0.7-7.el5.src", product: { name: "dovecot-0:1.0.7-7.el5.src", product_id: "dovecot-0:1.0.7-7.el5.src", product_identification_helper: { purl: "pkg:rpm/redhat/dovecot@1.0.7-7.el5?arch=src", }, }, }, ], category: "architecture", name: "src", }, { branches: [ { category: "product_version", name: "dovecot-0:1.0.7-7.el5.x86_64", product: { name: "dovecot-0:1.0.7-7.el5.x86_64", product_id: "dovecot-0:1.0.7-7.el5.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/dovecot@1.0.7-7.el5?arch=x86_64", }, }, }, { category: "product_version", name: "dovecot-debuginfo-0:1.0.7-7.el5.x86_64", product: { name: "dovecot-debuginfo-0:1.0.7-7.el5.x86_64", product_id: "dovecot-debuginfo-0:1.0.7-7.el5.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/dovecot-debuginfo@1.0.7-7.el5?arch=x86_64", }, }, }, ], category: "architecture", name: "x86_64", }, { branches: [ { category: "product_version", name: "dovecot-0:1.0.7-7.el5.i386", product: { name: "dovecot-0:1.0.7-7.el5.i386", product_id: "dovecot-0:1.0.7-7.el5.i386", product_identification_helper: { purl: "pkg:rpm/redhat/dovecot@1.0.7-7.el5?arch=i386", }, }, }, { category: "product_version", name: "dovecot-debuginfo-0:1.0.7-7.el5.i386", product: { name: "dovecot-debuginfo-0:1.0.7-7.el5.i386", product_id: "dovecot-debuginfo-0:1.0.7-7.el5.i386", product_identification_helper: { purl: "pkg:rpm/redhat/dovecot-debuginfo@1.0.7-7.el5?arch=i386", }, }, }, ], category: "architecture", name: "i386", }, { branches: [ { category: "product_version", name: "dovecot-0:1.0.7-7.el5.ia64", product: { name: "dovecot-0:1.0.7-7.el5.ia64", product_id: "dovecot-0:1.0.7-7.el5.ia64", product_identification_helper: { purl: "pkg:rpm/redhat/dovecot@1.0.7-7.el5?arch=ia64", }, }, }, { category: "product_version", name: "dovecot-debuginfo-0:1.0.7-7.el5.ia64", product: { name: "dovecot-debuginfo-0:1.0.7-7.el5.ia64", product_id: "dovecot-debuginfo-0:1.0.7-7.el5.ia64", product_identification_helper: { purl: "pkg:rpm/redhat/dovecot-debuginfo@1.0.7-7.el5?arch=ia64", }, }, }, ], category: "architecture", name: "ia64", }, { branches: [ { category: "product_version", name: "dovecot-0:1.0.7-7.el5.ppc", product: { name: "dovecot-0:1.0.7-7.el5.ppc", product_id: "dovecot-0:1.0.7-7.el5.ppc", product_identification_helper: { purl: "pkg:rpm/redhat/dovecot@1.0.7-7.el5?arch=ppc", }, }, }, { category: "product_version", name: "dovecot-debuginfo-0:1.0.7-7.el5.ppc", product: { name: "dovecot-debuginfo-0:1.0.7-7.el5.ppc", product_id: "dovecot-debuginfo-0:1.0.7-7.el5.ppc", product_identification_helper: { purl: "pkg:rpm/redhat/dovecot-debuginfo@1.0.7-7.el5?arch=ppc", }, }, }, ], category: "architecture", name: "ppc", }, { branches: [ { category: "product_version", name: "dovecot-0:1.0.7-7.el5.s390x", product: { name: "dovecot-0:1.0.7-7.el5.s390x", product_id: "dovecot-0:1.0.7-7.el5.s390x", product_identification_helper: { purl: "pkg:rpm/redhat/dovecot@1.0.7-7.el5?arch=s390x", }, }, }, { category: "product_version", name: "dovecot-debuginfo-0:1.0.7-7.el5.s390x", product: { name: "dovecot-debuginfo-0:1.0.7-7.el5.s390x", product_id: "dovecot-debuginfo-0:1.0.7-7.el5.s390x", product_identification_helper: { purl: "pkg:rpm/redhat/dovecot-debuginfo@1.0.7-7.el5?arch=s390x", }, }, }, ], category: "architecture", name: "s390x", }, ], category: "vendor", name: "Red Hat", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "dovecot-0:1.0.7-7.el5.i386 as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation:dovecot-0:1.0.7-7.el5.i386", }, product_reference: "dovecot-0:1.0.7-7.el5.i386", relates_to_product_reference: "5Client-Workstation", }, { category: "default_component_of", full_product_name: { name: "dovecot-0:1.0.7-7.el5.ia64 as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation:dovecot-0:1.0.7-7.el5.ia64", }, product_reference: "dovecot-0:1.0.7-7.el5.ia64", relates_to_product_reference: "5Client-Workstation", }, { category: "default_component_of", full_product_name: { name: "dovecot-0:1.0.7-7.el5.ppc as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation:dovecot-0:1.0.7-7.el5.ppc", }, product_reference: "dovecot-0:1.0.7-7.el5.ppc", relates_to_product_reference: "5Client-Workstation", }, { category: "default_component_of", full_product_name: { name: "dovecot-0:1.0.7-7.el5.s390x as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation:dovecot-0:1.0.7-7.el5.s390x", }, product_reference: "dovecot-0:1.0.7-7.el5.s390x", relates_to_product_reference: "5Client-Workstation", }, { category: "default_component_of", full_product_name: { name: "dovecot-0:1.0.7-7.el5.src as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation:dovecot-0:1.0.7-7.el5.src", }, product_reference: "dovecot-0:1.0.7-7.el5.src", relates_to_product_reference: "5Client-Workstation", }, { category: "default_component_of", full_product_name: { name: "dovecot-0:1.0.7-7.el5.x86_64 as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation:dovecot-0:1.0.7-7.el5.x86_64", }, product_reference: "dovecot-0:1.0.7-7.el5.x86_64", relates_to_product_reference: "5Client-Workstation", }, { category: "default_component_of", full_product_name: { name: "dovecot-debuginfo-0:1.0.7-7.el5.i386 as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.i386", }, product_reference: "dovecot-debuginfo-0:1.0.7-7.el5.i386", relates_to_product_reference: "5Client-Workstation", }, { category: "default_component_of", full_product_name: { name: "dovecot-debuginfo-0:1.0.7-7.el5.ia64 as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.ia64", }, product_reference: "dovecot-debuginfo-0:1.0.7-7.el5.ia64", relates_to_product_reference: "5Client-Workstation", }, { category: "default_component_of", full_product_name: { name: "dovecot-debuginfo-0:1.0.7-7.el5.ppc as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.ppc", }, product_reference: "dovecot-debuginfo-0:1.0.7-7.el5.ppc", relates_to_product_reference: "5Client-Workstation", }, { category: "default_component_of", full_product_name: { name: "dovecot-debuginfo-0:1.0.7-7.el5.s390x as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.s390x", }, product_reference: "dovecot-debuginfo-0:1.0.7-7.el5.s390x", relates_to_product_reference: "5Client-Workstation", }, { category: "default_component_of", full_product_name: { name: "dovecot-debuginfo-0:1.0.7-7.el5.x86_64 as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.x86_64", }, product_reference: "dovecot-debuginfo-0:1.0.7-7.el5.x86_64", relates_to_product_reference: "5Client-Workstation", }, { category: "default_component_of", full_product_name: { name: "dovecot-0:1.0.7-7.el5.i386 as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server:dovecot-0:1.0.7-7.el5.i386", }, product_reference: "dovecot-0:1.0.7-7.el5.i386", relates_to_product_reference: "5Server", }, { category: "default_component_of", full_product_name: { name: "dovecot-0:1.0.7-7.el5.ia64 as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server:dovecot-0:1.0.7-7.el5.ia64", }, product_reference: "dovecot-0:1.0.7-7.el5.ia64", relates_to_product_reference: "5Server", }, { category: "default_component_of", full_product_name: { name: "dovecot-0:1.0.7-7.el5.ppc as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server:dovecot-0:1.0.7-7.el5.ppc", }, product_reference: "dovecot-0:1.0.7-7.el5.ppc", relates_to_product_reference: "5Server", }, { category: "default_component_of", full_product_name: { name: "dovecot-0:1.0.7-7.el5.s390x as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server:dovecot-0:1.0.7-7.el5.s390x", }, product_reference: "dovecot-0:1.0.7-7.el5.s390x", relates_to_product_reference: "5Server", }, { category: "default_component_of", full_product_name: { name: "dovecot-0:1.0.7-7.el5.src as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server:dovecot-0:1.0.7-7.el5.src", }, product_reference: "dovecot-0:1.0.7-7.el5.src", relates_to_product_reference: "5Server", }, { category: "default_component_of", full_product_name: { name: "dovecot-0:1.0.7-7.el5.x86_64 as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server:dovecot-0:1.0.7-7.el5.x86_64", }, product_reference: "dovecot-0:1.0.7-7.el5.x86_64", relates_to_product_reference: "5Server", }, { category: "default_component_of", full_product_name: { name: "dovecot-debuginfo-0:1.0.7-7.el5.i386 as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server:dovecot-debuginfo-0:1.0.7-7.el5.i386", }, product_reference: "dovecot-debuginfo-0:1.0.7-7.el5.i386", relates_to_product_reference: "5Server", }, { category: "default_component_of", full_product_name: { name: "dovecot-debuginfo-0:1.0.7-7.el5.ia64 as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server:dovecot-debuginfo-0:1.0.7-7.el5.ia64", }, product_reference: "dovecot-debuginfo-0:1.0.7-7.el5.ia64", relates_to_product_reference: "5Server", }, { category: "default_component_of", full_product_name: { name: "dovecot-debuginfo-0:1.0.7-7.el5.ppc as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server:dovecot-debuginfo-0:1.0.7-7.el5.ppc", }, product_reference: "dovecot-debuginfo-0:1.0.7-7.el5.ppc", relates_to_product_reference: "5Server", }, { category: "default_component_of", full_product_name: { name: "dovecot-debuginfo-0:1.0.7-7.el5.s390x as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server:dovecot-debuginfo-0:1.0.7-7.el5.s390x", }, product_reference: "dovecot-debuginfo-0:1.0.7-7.el5.s390x", relates_to_product_reference: "5Server", }, { category: "default_component_of", full_product_name: { name: "dovecot-debuginfo-0:1.0.7-7.el5.x86_64 as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server:dovecot-debuginfo-0:1.0.7-7.el5.x86_64", }, product_reference: "dovecot-debuginfo-0:1.0.7-7.el5.x86_64", relates_to_product_reference: "5Server", }, ], }, vulnerabilities: [ { cve: "CVE-2008-4577", discovery_date: "2008-10-07T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "467436", }, ], notes: [ { category: "description", text: "The ACL plugin in Dovecot before 1.1.4 treats negative access rights as if they are positive access rights, which allows attackers to bypass intended access restrictions.", title: "Vulnerability description", }, { category: "summary", text: "dovecot: incorrect handling of negative rights in the ACL plugin", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "5Client-Workstation:dovecot-0:1.0.7-7.el5.i386", "5Client-Workstation:dovecot-0:1.0.7-7.el5.ia64", "5Client-Workstation:dovecot-0:1.0.7-7.el5.ppc", "5Client-Workstation:dovecot-0:1.0.7-7.el5.s390x", "5Client-Workstation:dovecot-0:1.0.7-7.el5.src", "5Client-Workstation:dovecot-0:1.0.7-7.el5.x86_64", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.i386", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.ia64", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.ppc", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.s390x", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.x86_64", "5Server:dovecot-0:1.0.7-7.el5.i386", "5Server:dovecot-0:1.0.7-7.el5.ia64", "5Server:dovecot-0:1.0.7-7.el5.ppc", "5Server:dovecot-0:1.0.7-7.el5.s390x", "5Server:dovecot-0:1.0.7-7.el5.src", "5Server:dovecot-0:1.0.7-7.el5.x86_64", "5Server:dovecot-debuginfo-0:1.0.7-7.el5.i386", "5Server:dovecot-debuginfo-0:1.0.7-7.el5.ia64", "5Server:dovecot-debuginfo-0:1.0.7-7.el5.ppc", "5Server:dovecot-debuginfo-0:1.0.7-7.el5.s390x", "5Server:dovecot-debuginfo-0:1.0.7-7.el5.x86_64", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2008-4577", }, { category: "external", summary: "RHBZ#467436", url: "https://bugzilla.redhat.com/show_bug.cgi?id=467436", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2008-4577", url: "https://www.cve.org/CVERecord?id=CVE-2008-4577", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2008-4577", url: "https://nvd.nist.gov/vuln/detail/CVE-2008-4577", }, ], release_date: "2008-10-05T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2009-01-20T15:45:00+00:00", details: "Before applying this update, make sure that all previously-released\nerrata relevant to your system have been applied.\n\nThis update is available via Red Hat Network. Details on how to use\nthe Red Hat Network to apply this update are available at\nhttp://kbase.redhat.com/faq/FAQ_58_10188", product_ids: [ "5Client-Workstation:dovecot-0:1.0.7-7.el5.i386", "5Client-Workstation:dovecot-0:1.0.7-7.el5.ia64", "5Client-Workstation:dovecot-0:1.0.7-7.el5.ppc", "5Client-Workstation:dovecot-0:1.0.7-7.el5.s390x", "5Client-Workstation:dovecot-0:1.0.7-7.el5.src", "5Client-Workstation:dovecot-0:1.0.7-7.el5.x86_64", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.i386", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.ia64", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.ppc", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.s390x", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.x86_64", "5Server:dovecot-0:1.0.7-7.el5.i386", "5Server:dovecot-0:1.0.7-7.el5.ia64", "5Server:dovecot-0:1.0.7-7.el5.ppc", "5Server:dovecot-0:1.0.7-7.el5.s390x", "5Server:dovecot-0:1.0.7-7.el5.src", "5Server:dovecot-0:1.0.7-7.el5.x86_64", "5Server:dovecot-debuginfo-0:1.0.7-7.el5.i386", "5Server:dovecot-debuginfo-0:1.0.7-7.el5.ia64", "5Server:dovecot-debuginfo-0:1.0.7-7.el5.ppc", "5Server:dovecot-debuginfo-0:1.0.7-7.el5.s390x", "5Server:dovecot-debuginfo-0:1.0.7-7.el5.x86_64", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2009:0205", }, ], scores: [ { cvss_v2: { accessComplexity: "HIGH", accessVector: "NETWORK", authentication: "SINGLE", availabilityImpact: "NONE", baseScore: 3.6, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:H/Au:S/C:P/I:P/A:N", version: "2.0", }, products: [ "5Client-Workstation:dovecot-0:1.0.7-7.el5.i386", "5Client-Workstation:dovecot-0:1.0.7-7.el5.ia64", "5Client-Workstation:dovecot-0:1.0.7-7.el5.ppc", "5Client-Workstation:dovecot-0:1.0.7-7.el5.s390x", "5Client-Workstation:dovecot-0:1.0.7-7.el5.src", "5Client-Workstation:dovecot-0:1.0.7-7.el5.x86_64", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.i386", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.ia64", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.ppc", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.s390x", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.x86_64", "5Server:dovecot-0:1.0.7-7.el5.i386", "5Server:dovecot-0:1.0.7-7.el5.ia64", "5Server:dovecot-0:1.0.7-7.el5.ppc", "5Server:dovecot-0:1.0.7-7.el5.s390x", "5Server:dovecot-0:1.0.7-7.el5.src", "5Server:dovecot-0:1.0.7-7.el5.x86_64", "5Server:dovecot-debuginfo-0:1.0.7-7.el5.i386", "5Server:dovecot-debuginfo-0:1.0.7-7.el5.ia64", "5Server:dovecot-debuginfo-0:1.0.7-7.el5.ppc", "5Server:dovecot-debuginfo-0:1.0.7-7.el5.s390x", "5Server:dovecot-debuginfo-0:1.0.7-7.el5.x86_64", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "dovecot: incorrect handling of negative rights in the ACL plugin", }, { cve: "CVE-2008-4870", discovery_date: "2008-03-06T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "469659", }, ], notes: [ { category: "description", text: "dovecot 1.0.7 in Red Hat Enterprise Linux (RHEL) 5, and possibly Fedora, uses world-readable permissions for dovecot.conf, which allows local users to obtain the ssl_key_password parameter value.", title: "Vulnerability description", }, { category: "summary", text: "dovecot: ssl_key_password disclosure due to an insecure dovecot.conf permissions", title: "Vulnerability summary", }, ], product_status: { fixed: [ "5Client-Workstation:dovecot-0:1.0.7-7.el5.i386", "5Client-Workstation:dovecot-0:1.0.7-7.el5.ia64", "5Client-Workstation:dovecot-0:1.0.7-7.el5.ppc", "5Client-Workstation:dovecot-0:1.0.7-7.el5.s390x", "5Client-Workstation:dovecot-0:1.0.7-7.el5.src", "5Client-Workstation:dovecot-0:1.0.7-7.el5.x86_64", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.i386", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.ia64", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.ppc", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.s390x", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.x86_64", "5Server:dovecot-0:1.0.7-7.el5.i386", "5Server:dovecot-0:1.0.7-7.el5.ia64", "5Server:dovecot-0:1.0.7-7.el5.ppc", "5Server:dovecot-0:1.0.7-7.el5.s390x", "5Server:dovecot-0:1.0.7-7.el5.src", "5Server:dovecot-0:1.0.7-7.el5.x86_64", "5Server:dovecot-debuginfo-0:1.0.7-7.el5.i386", "5Server:dovecot-debuginfo-0:1.0.7-7.el5.ia64", "5Server:dovecot-debuginfo-0:1.0.7-7.el5.ppc", "5Server:dovecot-debuginfo-0:1.0.7-7.el5.s390x", "5Server:dovecot-debuginfo-0:1.0.7-7.el5.x86_64", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2008-4870", }, { category: "external", summary: "RHBZ#469659", url: "https://bugzilla.redhat.com/show_bug.cgi?id=469659", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2008-4870", url: "https://www.cve.org/CVERecord?id=CVE-2008-4870", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2008-4870", url: "https://nvd.nist.gov/vuln/detail/CVE-2008-4870", }, ], release_date: "2008-03-06T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2009-01-20T15:45:00+00:00", details: "Before applying this update, make sure that all previously-released\nerrata relevant to your system have been applied.\n\nThis update is available via Red Hat Network. Details on how to use\nthe Red Hat Network to apply this update are available at\nhttp://kbase.redhat.com/faq/FAQ_58_10188", product_ids: [ "5Client-Workstation:dovecot-0:1.0.7-7.el5.i386", "5Client-Workstation:dovecot-0:1.0.7-7.el5.ia64", "5Client-Workstation:dovecot-0:1.0.7-7.el5.ppc", "5Client-Workstation:dovecot-0:1.0.7-7.el5.s390x", "5Client-Workstation:dovecot-0:1.0.7-7.el5.src", "5Client-Workstation:dovecot-0:1.0.7-7.el5.x86_64", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.i386", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.ia64", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.ppc", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.s390x", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.x86_64", "5Server:dovecot-0:1.0.7-7.el5.i386", "5Server:dovecot-0:1.0.7-7.el5.ia64", "5Server:dovecot-0:1.0.7-7.el5.ppc", "5Server:dovecot-0:1.0.7-7.el5.s390x", "5Server:dovecot-0:1.0.7-7.el5.src", "5Server:dovecot-0:1.0.7-7.el5.x86_64", "5Server:dovecot-debuginfo-0:1.0.7-7.el5.i386", "5Server:dovecot-debuginfo-0:1.0.7-7.el5.ia64", "5Server:dovecot-debuginfo-0:1.0.7-7.el5.ppc", "5Server:dovecot-debuginfo-0:1.0.7-7.el5.s390x", "5Server:dovecot-debuginfo-0:1.0.7-7.el5.x86_64", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2009:0205", }, ], threats: [ { category: "impact", details: "Low", }, ], title: "dovecot: ssl_key_password disclosure due to an insecure dovecot.conf permissions", }, ], }
rhsa-2009:0205
Vulnerability from csaf_redhat
Published
2009-01-20 15:45
Modified
2024-11-22 02:17
Summary
Red Hat Security Advisory: dovecot security and bug fix update
Notes
Topic
An updated dovecot package that corrects two security flaws and various bugs
is now available for Red Hat Enterprise Linux 5.
This update has been rated as having low security impact by the Red Hat
Security Response Team.
Details
Dovecot is an IMAP server for Linux and UNIX-like systems, primarily
written with security in mind.
A flaw was found in Dovecot's ACL plug-in. The ACL plug-in treated negative
access rights as positive rights, which could allow an attacker to bypass
intended access restrictions. (CVE-2008-4577)
A password disclosure flaw was found with Dovecot's configuration file. If
a system had the "ssl_key_password" option defined, any local user could
view the SSL key password. (CVE-2008-4870)
Note: This flaw did not allow the attacker to acquire the contents of the
SSL key. The password has no value without the key file which arbitrary
users should not have read access to.
To better protect even this value, however, the dovecot.conf file now
supports the "!include_try" directive. The ssl_key_password option should
be moved from dovecot.conf to a new file owned by, and only readable and
writable by, root (ie 0600). This file should be referenced from
dovecot.conf by setting the "!include_try [/path/to/password/file]" option.
Additionally, this update addresses the following bugs:
* the dovecot init script -- /etc/rc.d/init.d/dovecot -- did not check if
the dovecot binary or configuration files existed. It also used the wrong
pid file for checking the dovecot service's status. This update includes a
new init script that corrects these errors.
* the %files section of the dovecot spec file did not include "%dir
%{ssldir}/private". As a consequence, the /etc/pki/private/ directory was
not owned by dovecot. (Note: files inside /etc/pki/private/ were and are
owned by dovecot.) With this update, the missing line has been added to the
spec file, and the noted directory is now owned by dovecot.
* in some previously released versions of dovecot, the authentication
process accepted (and passed along un-escaped) passwords containing
characters that had special meaning to dovecot's internal protocols. This
updated release prevents such passwords from being passed back, instead
returning the error, "Attempted login with password having illegal chars".
Note: dovecot versions previously shipped with Red Hat Enterprise Linux 5
did not allow this behavior. This update addresses the issue above but said
issue was only present in versions of dovecot not previously included with
Red Hat Enterprise Linux 5.
Users of dovecot are advised to upgrade to this updated package, which
addresses these vulnerabilities and resolves these issues.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Low", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "An updated dovecot package that corrects two security flaws and various bugs\nis now available for Red Hat Enterprise Linux 5.\n\nThis update has been rated as having low security impact by the Red Hat\nSecurity Response Team.", title: "Topic", }, { category: "general", text: "Dovecot is an IMAP server for Linux and UNIX-like systems, primarily\nwritten with security in mind.\n\nA flaw was found in Dovecot's ACL plug-in. The ACL plug-in treated negative\naccess rights as positive rights, which could allow an attacker to bypass\nintended access restrictions. (CVE-2008-4577)\n\nA password disclosure flaw was found with Dovecot's configuration file. If\na system had the \"ssl_key_password\" option defined, any local user could\nview the SSL key password. (CVE-2008-4870)\n\nNote: This flaw did not allow the attacker to acquire the contents of the\nSSL key. The password has no value without the key file which arbitrary\nusers should not have read access to.\n\nTo better protect even this value, however, the dovecot.conf file now\nsupports the \"!include_try\" directive. The ssl_key_password option should\nbe moved from dovecot.conf to a new file owned by, and only readable and\nwritable by, root (ie 0600). This file should be referenced from\ndovecot.conf by setting the \"!include_try [/path/to/password/file]\" option.\n\nAdditionally, this update addresses the following bugs:\n\n* the dovecot init script -- /etc/rc.d/init.d/dovecot -- did not check if\nthe dovecot binary or configuration files existed. It also used the wrong\npid file for checking the dovecot service's status. This update includes a\nnew init script that corrects these errors.\n\n* the %files section of the dovecot spec file did not include \"%dir\n%{ssldir}/private\". As a consequence, the /etc/pki/private/ directory was\nnot owned by dovecot. (Note: files inside /etc/pki/private/ were and are\nowned by dovecot.) With this update, the missing line has been added to the\nspec file, and the noted directory is now owned by dovecot.\n\n* in some previously released versions of dovecot, the authentication\nprocess accepted (and passed along un-escaped) passwords containing\ncharacters that had special meaning to dovecot's internal protocols. This\nupdated release prevents such passwords from being passed back, instead\nreturning the error, \"Attempted login with password having illegal chars\".\n\nNote: dovecot versions previously shipped with Red Hat Enterprise Linux 5\ndid not allow this behavior. This update addresses the issue above but said\nissue was only present in versions of dovecot not previously included with\nRed Hat Enterprise Linux 5.\n\nUsers of dovecot are advised to upgrade to this updated package, which\naddresses these vulnerabilities and resolves these issues.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2009:0205", url: "https://access.redhat.com/errata/RHSA-2009:0205", }, { category: "external", summary: "http://www.redhat.com/security/updates/classification/#low", url: "http://www.redhat.com/security/updates/classification/#low", }, { category: "external", summary: "238016", url: "https://bugzilla.redhat.com/show_bug.cgi?id=238016", }, { category: "external", summary: "436287", url: "https://bugzilla.redhat.com/show_bug.cgi?id=436287", }, { category: "external", summary: "439369", url: "https://bugzilla.redhat.com/show_bug.cgi?id=439369", }, { category: "external", summary: "448089", url: "https://bugzilla.redhat.com/show_bug.cgi?id=448089", }, { category: "external", summary: "467436", url: "https://bugzilla.redhat.com/show_bug.cgi?id=467436", }, { category: "external", summary: "469659", url: "https://bugzilla.redhat.com/show_bug.cgi?id=469659", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2009/rhsa-2009_0205.json", }, ], title: "Red Hat Security Advisory: dovecot security and bug fix update", tracking: { current_release_date: "2024-11-22T02:17:23+00:00", generator: { date: "2024-11-22T02:17:23+00:00", engine: { name: "Red Hat SDEngine", version: "4.2.1", }, }, id: "RHSA-2009:0205", initial_release_date: "2009-01-20T15:45:00+00:00", revision_history: [ { date: "2009-01-20T15:45:00+00:00", number: "1", summary: "Initial version", }, { date: "2009-01-20T11:06:11+00:00", number: "2", summary: "Last updated version", }, { date: "2024-11-22T02:17:23+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product: { name: "Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation", product_identification_helper: { cpe: "cpe:/o:redhat:enterprise_linux:5::client_workstation", }, }, }, { category: "product_name", name: "Red Hat Enterprise Linux (v. 5 server)", product: { name: "Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server", product_identification_helper: { cpe: "cpe:/o:redhat:enterprise_linux:5::server", }, }, }, ], category: "product_family", name: "Red Hat Enterprise Linux", }, { branches: [ { category: "product_version", name: "dovecot-0:1.0.7-7.el5.src", product: { name: "dovecot-0:1.0.7-7.el5.src", product_id: "dovecot-0:1.0.7-7.el5.src", product_identification_helper: { purl: "pkg:rpm/redhat/dovecot@1.0.7-7.el5?arch=src", }, }, }, ], category: "architecture", name: "src", }, { branches: [ { category: "product_version", name: "dovecot-0:1.0.7-7.el5.x86_64", product: { name: "dovecot-0:1.0.7-7.el5.x86_64", product_id: "dovecot-0:1.0.7-7.el5.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/dovecot@1.0.7-7.el5?arch=x86_64", }, }, }, { category: "product_version", name: "dovecot-debuginfo-0:1.0.7-7.el5.x86_64", product: { name: "dovecot-debuginfo-0:1.0.7-7.el5.x86_64", product_id: "dovecot-debuginfo-0:1.0.7-7.el5.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/dovecot-debuginfo@1.0.7-7.el5?arch=x86_64", }, }, }, ], category: "architecture", name: "x86_64", }, { branches: [ { category: "product_version", name: "dovecot-0:1.0.7-7.el5.i386", product: { name: "dovecot-0:1.0.7-7.el5.i386", product_id: "dovecot-0:1.0.7-7.el5.i386", product_identification_helper: { purl: "pkg:rpm/redhat/dovecot@1.0.7-7.el5?arch=i386", }, }, }, { category: "product_version", name: "dovecot-debuginfo-0:1.0.7-7.el5.i386", product: { name: "dovecot-debuginfo-0:1.0.7-7.el5.i386", product_id: "dovecot-debuginfo-0:1.0.7-7.el5.i386", product_identification_helper: { purl: "pkg:rpm/redhat/dovecot-debuginfo@1.0.7-7.el5?arch=i386", }, }, }, ], category: "architecture", name: "i386", }, { branches: [ { category: "product_version", name: "dovecot-0:1.0.7-7.el5.ia64", product: { name: "dovecot-0:1.0.7-7.el5.ia64", product_id: "dovecot-0:1.0.7-7.el5.ia64", product_identification_helper: { purl: "pkg:rpm/redhat/dovecot@1.0.7-7.el5?arch=ia64", }, }, }, { category: "product_version", name: "dovecot-debuginfo-0:1.0.7-7.el5.ia64", product: { name: "dovecot-debuginfo-0:1.0.7-7.el5.ia64", product_id: "dovecot-debuginfo-0:1.0.7-7.el5.ia64", product_identification_helper: { purl: "pkg:rpm/redhat/dovecot-debuginfo@1.0.7-7.el5?arch=ia64", }, }, }, ], category: "architecture", name: "ia64", }, { branches: [ { category: "product_version", name: "dovecot-0:1.0.7-7.el5.ppc", product: { name: "dovecot-0:1.0.7-7.el5.ppc", product_id: "dovecot-0:1.0.7-7.el5.ppc", product_identification_helper: { purl: "pkg:rpm/redhat/dovecot@1.0.7-7.el5?arch=ppc", }, }, }, { category: "product_version", name: "dovecot-debuginfo-0:1.0.7-7.el5.ppc", product: { name: "dovecot-debuginfo-0:1.0.7-7.el5.ppc", product_id: "dovecot-debuginfo-0:1.0.7-7.el5.ppc", product_identification_helper: { purl: "pkg:rpm/redhat/dovecot-debuginfo@1.0.7-7.el5?arch=ppc", }, }, }, ], category: "architecture", name: "ppc", }, { branches: [ { category: "product_version", name: "dovecot-0:1.0.7-7.el5.s390x", product: { name: "dovecot-0:1.0.7-7.el5.s390x", product_id: "dovecot-0:1.0.7-7.el5.s390x", product_identification_helper: { purl: "pkg:rpm/redhat/dovecot@1.0.7-7.el5?arch=s390x", }, }, }, { category: "product_version", name: "dovecot-debuginfo-0:1.0.7-7.el5.s390x", product: { name: "dovecot-debuginfo-0:1.0.7-7.el5.s390x", product_id: "dovecot-debuginfo-0:1.0.7-7.el5.s390x", product_identification_helper: { purl: "pkg:rpm/redhat/dovecot-debuginfo@1.0.7-7.el5?arch=s390x", }, }, }, ], category: "architecture", name: "s390x", }, ], category: "vendor", name: "Red Hat", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "dovecot-0:1.0.7-7.el5.i386 as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation:dovecot-0:1.0.7-7.el5.i386", }, product_reference: "dovecot-0:1.0.7-7.el5.i386", relates_to_product_reference: "5Client-Workstation", }, { category: "default_component_of", full_product_name: { name: "dovecot-0:1.0.7-7.el5.ia64 as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation:dovecot-0:1.0.7-7.el5.ia64", }, product_reference: "dovecot-0:1.0.7-7.el5.ia64", relates_to_product_reference: "5Client-Workstation", }, { category: "default_component_of", full_product_name: { name: "dovecot-0:1.0.7-7.el5.ppc as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation:dovecot-0:1.0.7-7.el5.ppc", }, product_reference: "dovecot-0:1.0.7-7.el5.ppc", relates_to_product_reference: "5Client-Workstation", }, { category: "default_component_of", full_product_name: { name: "dovecot-0:1.0.7-7.el5.s390x as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation:dovecot-0:1.0.7-7.el5.s390x", }, product_reference: "dovecot-0:1.0.7-7.el5.s390x", relates_to_product_reference: "5Client-Workstation", }, { category: "default_component_of", full_product_name: { name: "dovecot-0:1.0.7-7.el5.src as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation:dovecot-0:1.0.7-7.el5.src", }, product_reference: "dovecot-0:1.0.7-7.el5.src", relates_to_product_reference: "5Client-Workstation", }, { category: "default_component_of", full_product_name: { name: "dovecot-0:1.0.7-7.el5.x86_64 as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation:dovecot-0:1.0.7-7.el5.x86_64", }, product_reference: "dovecot-0:1.0.7-7.el5.x86_64", relates_to_product_reference: "5Client-Workstation", }, { category: "default_component_of", full_product_name: { name: "dovecot-debuginfo-0:1.0.7-7.el5.i386 as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.i386", }, product_reference: "dovecot-debuginfo-0:1.0.7-7.el5.i386", relates_to_product_reference: "5Client-Workstation", }, { category: "default_component_of", full_product_name: { name: "dovecot-debuginfo-0:1.0.7-7.el5.ia64 as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.ia64", }, product_reference: "dovecot-debuginfo-0:1.0.7-7.el5.ia64", relates_to_product_reference: "5Client-Workstation", }, { category: "default_component_of", full_product_name: { name: "dovecot-debuginfo-0:1.0.7-7.el5.ppc as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.ppc", }, product_reference: "dovecot-debuginfo-0:1.0.7-7.el5.ppc", relates_to_product_reference: "5Client-Workstation", }, { category: "default_component_of", full_product_name: { name: "dovecot-debuginfo-0:1.0.7-7.el5.s390x as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.s390x", }, product_reference: "dovecot-debuginfo-0:1.0.7-7.el5.s390x", relates_to_product_reference: "5Client-Workstation", }, { category: "default_component_of", full_product_name: { name: "dovecot-debuginfo-0:1.0.7-7.el5.x86_64 as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.x86_64", }, product_reference: "dovecot-debuginfo-0:1.0.7-7.el5.x86_64", relates_to_product_reference: "5Client-Workstation", }, { category: "default_component_of", full_product_name: { name: "dovecot-0:1.0.7-7.el5.i386 as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server:dovecot-0:1.0.7-7.el5.i386", }, product_reference: "dovecot-0:1.0.7-7.el5.i386", relates_to_product_reference: "5Server", }, { category: "default_component_of", full_product_name: { name: "dovecot-0:1.0.7-7.el5.ia64 as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server:dovecot-0:1.0.7-7.el5.ia64", }, product_reference: "dovecot-0:1.0.7-7.el5.ia64", relates_to_product_reference: "5Server", }, { category: "default_component_of", full_product_name: { name: "dovecot-0:1.0.7-7.el5.ppc as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server:dovecot-0:1.0.7-7.el5.ppc", }, product_reference: "dovecot-0:1.0.7-7.el5.ppc", relates_to_product_reference: "5Server", }, { category: "default_component_of", full_product_name: { name: "dovecot-0:1.0.7-7.el5.s390x as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server:dovecot-0:1.0.7-7.el5.s390x", }, product_reference: "dovecot-0:1.0.7-7.el5.s390x", relates_to_product_reference: "5Server", }, { category: "default_component_of", full_product_name: { name: "dovecot-0:1.0.7-7.el5.src as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server:dovecot-0:1.0.7-7.el5.src", }, product_reference: "dovecot-0:1.0.7-7.el5.src", relates_to_product_reference: "5Server", }, { category: "default_component_of", full_product_name: { name: "dovecot-0:1.0.7-7.el5.x86_64 as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server:dovecot-0:1.0.7-7.el5.x86_64", }, product_reference: "dovecot-0:1.0.7-7.el5.x86_64", relates_to_product_reference: "5Server", }, { category: "default_component_of", full_product_name: { name: "dovecot-debuginfo-0:1.0.7-7.el5.i386 as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server:dovecot-debuginfo-0:1.0.7-7.el5.i386", }, product_reference: "dovecot-debuginfo-0:1.0.7-7.el5.i386", relates_to_product_reference: "5Server", }, { category: "default_component_of", full_product_name: { name: "dovecot-debuginfo-0:1.0.7-7.el5.ia64 as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server:dovecot-debuginfo-0:1.0.7-7.el5.ia64", }, product_reference: "dovecot-debuginfo-0:1.0.7-7.el5.ia64", relates_to_product_reference: "5Server", }, { category: "default_component_of", full_product_name: { name: "dovecot-debuginfo-0:1.0.7-7.el5.ppc as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server:dovecot-debuginfo-0:1.0.7-7.el5.ppc", }, product_reference: "dovecot-debuginfo-0:1.0.7-7.el5.ppc", relates_to_product_reference: "5Server", }, { category: "default_component_of", full_product_name: { name: "dovecot-debuginfo-0:1.0.7-7.el5.s390x as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server:dovecot-debuginfo-0:1.0.7-7.el5.s390x", }, product_reference: "dovecot-debuginfo-0:1.0.7-7.el5.s390x", relates_to_product_reference: "5Server", }, { category: "default_component_of", full_product_name: { name: "dovecot-debuginfo-0:1.0.7-7.el5.x86_64 as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server:dovecot-debuginfo-0:1.0.7-7.el5.x86_64", }, product_reference: "dovecot-debuginfo-0:1.0.7-7.el5.x86_64", relates_to_product_reference: "5Server", }, ], }, vulnerabilities: [ { cve: "CVE-2008-4577", discovery_date: "2008-10-07T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "467436", }, ], notes: [ { category: "description", text: "The ACL plugin in Dovecot before 1.1.4 treats negative access rights as if they are positive access rights, which allows attackers to bypass intended access restrictions.", title: "Vulnerability description", }, { category: "summary", text: "dovecot: incorrect handling of negative rights in the ACL plugin", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "5Client-Workstation:dovecot-0:1.0.7-7.el5.i386", "5Client-Workstation:dovecot-0:1.0.7-7.el5.ia64", "5Client-Workstation:dovecot-0:1.0.7-7.el5.ppc", "5Client-Workstation:dovecot-0:1.0.7-7.el5.s390x", "5Client-Workstation:dovecot-0:1.0.7-7.el5.src", "5Client-Workstation:dovecot-0:1.0.7-7.el5.x86_64", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.i386", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.ia64", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.ppc", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.s390x", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.x86_64", "5Server:dovecot-0:1.0.7-7.el5.i386", "5Server:dovecot-0:1.0.7-7.el5.ia64", "5Server:dovecot-0:1.0.7-7.el5.ppc", "5Server:dovecot-0:1.0.7-7.el5.s390x", "5Server:dovecot-0:1.0.7-7.el5.src", "5Server:dovecot-0:1.0.7-7.el5.x86_64", "5Server:dovecot-debuginfo-0:1.0.7-7.el5.i386", "5Server:dovecot-debuginfo-0:1.0.7-7.el5.ia64", "5Server:dovecot-debuginfo-0:1.0.7-7.el5.ppc", "5Server:dovecot-debuginfo-0:1.0.7-7.el5.s390x", "5Server:dovecot-debuginfo-0:1.0.7-7.el5.x86_64", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2008-4577", }, { category: "external", summary: "RHBZ#467436", url: "https://bugzilla.redhat.com/show_bug.cgi?id=467436", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2008-4577", url: "https://www.cve.org/CVERecord?id=CVE-2008-4577", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2008-4577", url: "https://nvd.nist.gov/vuln/detail/CVE-2008-4577", }, ], release_date: "2008-10-05T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2009-01-20T15:45:00+00:00", details: "Before applying this update, make sure that all previously-released\nerrata relevant to your system have been applied.\n\nThis update is available via Red Hat Network. Details on how to use\nthe Red Hat Network to apply this update are available at\nhttp://kbase.redhat.com/faq/FAQ_58_10188", product_ids: [ "5Client-Workstation:dovecot-0:1.0.7-7.el5.i386", "5Client-Workstation:dovecot-0:1.0.7-7.el5.ia64", "5Client-Workstation:dovecot-0:1.0.7-7.el5.ppc", "5Client-Workstation:dovecot-0:1.0.7-7.el5.s390x", "5Client-Workstation:dovecot-0:1.0.7-7.el5.src", "5Client-Workstation:dovecot-0:1.0.7-7.el5.x86_64", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.i386", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.ia64", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.ppc", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.s390x", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.x86_64", "5Server:dovecot-0:1.0.7-7.el5.i386", "5Server:dovecot-0:1.0.7-7.el5.ia64", "5Server:dovecot-0:1.0.7-7.el5.ppc", "5Server:dovecot-0:1.0.7-7.el5.s390x", "5Server:dovecot-0:1.0.7-7.el5.src", "5Server:dovecot-0:1.0.7-7.el5.x86_64", "5Server:dovecot-debuginfo-0:1.0.7-7.el5.i386", "5Server:dovecot-debuginfo-0:1.0.7-7.el5.ia64", "5Server:dovecot-debuginfo-0:1.0.7-7.el5.ppc", "5Server:dovecot-debuginfo-0:1.0.7-7.el5.s390x", "5Server:dovecot-debuginfo-0:1.0.7-7.el5.x86_64", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2009:0205", }, ], scores: [ { cvss_v2: { accessComplexity: "HIGH", accessVector: "NETWORK", authentication: "SINGLE", availabilityImpact: "NONE", baseScore: 3.6, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:H/Au:S/C:P/I:P/A:N", version: "2.0", }, products: [ "5Client-Workstation:dovecot-0:1.0.7-7.el5.i386", "5Client-Workstation:dovecot-0:1.0.7-7.el5.ia64", "5Client-Workstation:dovecot-0:1.0.7-7.el5.ppc", "5Client-Workstation:dovecot-0:1.0.7-7.el5.s390x", "5Client-Workstation:dovecot-0:1.0.7-7.el5.src", "5Client-Workstation:dovecot-0:1.0.7-7.el5.x86_64", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.i386", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.ia64", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.ppc", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.s390x", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.x86_64", "5Server:dovecot-0:1.0.7-7.el5.i386", "5Server:dovecot-0:1.0.7-7.el5.ia64", "5Server:dovecot-0:1.0.7-7.el5.ppc", "5Server:dovecot-0:1.0.7-7.el5.s390x", "5Server:dovecot-0:1.0.7-7.el5.src", "5Server:dovecot-0:1.0.7-7.el5.x86_64", "5Server:dovecot-debuginfo-0:1.0.7-7.el5.i386", "5Server:dovecot-debuginfo-0:1.0.7-7.el5.ia64", "5Server:dovecot-debuginfo-0:1.0.7-7.el5.ppc", "5Server:dovecot-debuginfo-0:1.0.7-7.el5.s390x", "5Server:dovecot-debuginfo-0:1.0.7-7.el5.x86_64", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "dovecot: incorrect handling of negative rights in the ACL plugin", }, { cve: "CVE-2008-4870", discovery_date: "2008-03-06T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "469659", }, ], notes: [ { category: "description", text: "dovecot 1.0.7 in Red Hat Enterprise Linux (RHEL) 5, and possibly Fedora, uses world-readable permissions for dovecot.conf, which allows local users to obtain the ssl_key_password parameter value.", title: "Vulnerability description", }, { category: "summary", text: "dovecot: ssl_key_password disclosure due to an insecure dovecot.conf permissions", title: "Vulnerability summary", }, ], product_status: { fixed: [ "5Client-Workstation:dovecot-0:1.0.7-7.el5.i386", "5Client-Workstation:dovecot-0:1.0.7-7.el5.ia64", "5Client-Workstation:dovecot-0:1.0.7-7.el5.ppc", "5Client-Workstation:dovecot-0:1.0.7-7.el5.s390x", "5Client-Workstation:dovecot-0:1.0.7-7.el5.src", "5Client-Workstation:dovecot-0:1.0.7-7.el5.x86_64", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.i386", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.ia64", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.ppc", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.s390x", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.x86_64", "5Server:dovecot-0:1.0.7-7.el5.i386", "5Server:dovecot-0:1.0.7-7.el5.ia64", "5Server:dovecot-0:1.0.7-7.el5.ppc", "5Server:dovecot-0:1.0.7-7.el5.s390x", "5Server:dovecot-0:1.0.7-7.el5.src", "5Server:dovecot-0:1.0.7-7.el5.x86_64", "5Server:dovecot-debuginfo-0:1.0.7-7.el5.i386", "5Server:dovecot-debuginfo-0:1.0.7-7.el5.ia64", "5Server:dovecot-debuginfo-0:1.0.7-7.el5.ppc", "5Server:dovecot-debuginfo-0:1.0.7-7.el5.s390x", "5Server:dovecot-debuginfo-0:1.0.7-7.el5.x86_64", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2008-4870", }, { category: "external", summary: "RHBZ#469659", url: "https://bugzilla.redhat.com/show_bug.cgi?id=469659", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2008-4870", url: "https://www.cve.org/CVERecord?id=CVE-2008-4870", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2008-4870", url: "https://nvd.nist.gov/vuln/detail/CVE-2008-4870", }, ], release_date: "2008-03-06T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2009-01-20T15:45:00+00:00", details: "Before applying this update, make sure that all previously-released\nerrata relevant to your system have been applied.\n\nThis update is available via Red Hat Network. Details on how to use\nthe Red Hat Network to apply this update are available at\nhttp://kbase.redhat.com/faq/FAQ_58_10188", product_ids: [ "5Client-Workstation:dovecot-0:1.0.7-7.el5.i386", "5Client-Workstation:dovecot-0:1.0.7-7.el5.ia64", "5Client-Workstation:dovecot-0:1.0.7-7.el5.ppc", "5Client-Workstation:dovecot-0:1.0.7-7.el5.s390x", "5Client-Workstation:dovecot-0:1.0.7-7.el5.src", "5Client-Workstation:dovecot-0:1.0.7-7.el5.x86_64", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.i386", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.ia64", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.ppc", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.s390x", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.x86_64", "5Server:dovecot-0:1.0.7-7.el5.i386", "5Server:dovecot-0:1.0.7-7.el5.ia64", "5Server:dovecot-0:1.0.7-7.el5.ppc", "5Server:dovecot-0:1.0.7-7.el5.s390x", "5Server:dovecot-0:1.0.7-7.el5.src", "5Server:dovecot-0:1.0.7-7.el5.x86_64", "5Server:dovecot-debuginfo-0:1.0.7-7.el5.i386", "5Server:dovecot-debuginfo-0:1.0.7-7.el5.ia64", "5Server:dovecot-debuginfo-0:1.0.7-7.el5.ppc", "5Server:dovecot-debuginfo-0:1.0.7-7.el5.s390x", "5Server:dovecot-debuginfo-0:1.0.7-7.el5.x86_64", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2009:0205", }, ], threats: [ { category: "impact", details: "Low", }, ], title: "dovecot: ssl_key_password disclosure due to an insecure dovecot.conf permissions", }, ], }
ghsa-24jq-h48j-g592
Vulnerability from github
Published
2022-05-02 00:11
Modified
2024-01-21 03:30
Severity ?
Details
The ACL plugin in Dovecot before 1.1.4 treats negative access rights as if they are positive access rights, which allows attackers to bypass intended access restrictions.
{ affected: [], aliases: [ "CVE-2008-4577", ], database_specific: { cwe_ids: [ "CWE-863", ], github_reviewed: false, github_reviewed_at: null, nvd_published_at: "2008-10-15T20:08:00Z", severity: "MODERATE", }, details: "The ACL plugin in Dovecot before 1.1.4 treats negative access rights as if they are positive access rights, which allows attackers to bypass intended access restrictions.", id: "GHSA-24jq-h48j-g592", modified: "2024-01-21T03:30:23Z", published: "2022-05-02T00:11:23Z", references: [ { type: "ADVISORY", url: "https://nvd.nist.gov/vuln/detail/CVE-2008-4577", }, { type: "WEB", url: "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10376", }, { type: "WEB", url: "https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00816.html", }, { type: "WEB", url: "https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00844.html", }, { type: "WEB", url: "http://bugs.gentoo.org/show_bug.cgi?id=240409", }, { type: "WEB", url: "http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html", }, { type: "WEB", url: "http://secunia.com/advisories/32164", }, { type: "WEB", url: "http://secunia.com/advisories/32471", }, { type: "WEB", url: "http://secunia.com/advisories/33149", }, { type: "WEB", url: "http://secunia.com/advisories/33624", }, { type: "WEB", url: "http://secunia.com/advisories/36904", }, { type: "WEB", url: "http://security.gentoo.org/glsa/glsa-200812-16.xml", }, { type: "WEB", url: "http://www.dovecot.org/list/dovecot-news/2008-October/000085.html", }, { type: "WEB", url: "http://www.mandriva.com/security/advisories?name=MDVSA-2008:232", }, { type: "WEB", url: "http://www.redhat.com/support/errata/RHSA-2009-0205.html", }, { type: "WEB", url: "http://www.securityfocus.com/bid/31587", }, { type: "WEB", url: "http://www.ubuntu.com/usn/USN-838-1", }, { type: "WEB", url: "http://www.vupen.com/english/advisories/2008/2745", }, ], schema_version: "1.4.0", severity: [ { score: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", type: "CVSS_V3", }, ], }
fkie_cve-2008-4577
Vulnerability from fkie_nvd
Published
2008-10-15 20:08
Modified
2025-04-09 00:30
Severity ?
Summary
The ACL plugin in Dovecot before 1.1.4 treats negative access rights as if they are positive access rights, which allows attackers to bypass intended access restrictions.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| dovecot | dovecot | * | |
| fedoraproject | fedora | 8 | |
| fedoraproject | fedora | 9 | |
| opensuse | opensuse | 10.3-11.1 | |
| canonical | ubuntu_linux | 8.04 | |
| canonical | ubuntu_linux | 8.10 | |
| canonical | ubuntu_linux | 9.04 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:dovecot:dovecot:*:*:*:*:*:*:*:*", matchCriteriaId: "B084417D-FA5E-45DE-AA03-3932D9292B30", versionEndExcluding: "1.1.4", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:fedoraproject:fedora:8:*:*:*:*:*:*:*", matchCriteriaId: "72E4DB7F-07C3-46BB-AAA2-05CD0312C57F", vulnerable: true, }, { criteria: "cpe:2.3:o:fedoraproject:fedora:9:*:*:*:*:*:*:*", matchCriteriaId: "743CBBB1-C140-4FEF-B40E-FAE4511B1140", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:opensuse:opensuse:10.3-11.1:*:*:*:*:*:*:*", matchCriteriaId: "F7018930-D354-4B31-870E-D0E3CE19C8B5", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:canonical:ubuntu_linux:8.04:*:*:*:-:*:*:*", matchCriteriaId: "7EBFE35C-E243-43D1-883D-4398D71763CC", vulnerable: true, }, { criteria: "cpe:2.3:o:canonical:ubuntu_linux:8.10:*:*:*:*:*:*:*", matchCriteriaId: "4747CC68-FAF4-482F-929A-9DA6C24CB663", vulnerable: true, }, { criteria: "cpe:2.3:o:canonical:ubuntu_linux:9.04:*:*:*:*:*:*:*", matchCriteriaId: "A5D026D0-EF78-438D-BEDD-FC8571F3ACEB", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "The ACL plugin in Dovecot before 1.1.4 treats negative access rights as if they are positive access rights, which allows attackers to bypass intended access restrictions.", }, { lang: "es", value: "El plugin ACL en Dovecot anterior a 1.1.4 amenaza los derechos del acceso negativo como si fueran derechos de acceso positivos, lo que permite a atacantes evitar las restricciones de acceso previstas.", }, ], id: "CVE-2008-4577", lastModified: "2025-04-09T00:30:58.490", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 6.4, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:N/C:P/I:P/A:N", version: "2.0", }, exploitabilityScore: 10, impactScore: 4.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2008-10-15T20:08:02.670", references: [ { source: "secalert@redhat.com", tags: [ "Issue Tracking", ], url: "http://bugs.gentoo.org/show_bug.cgi?id=240409", }, { source: "secalert@redhat.com", tags: [ "Mailing List", ], url: "http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html", }, { source: "secalert@redhat.com", tags: [ "Broken Link", "Vendor Advisory", ], url: "http://secunia.com/advisories/32164", }, { source: "secalert@redhat.com", tags: [ "Broken Link", ], url: "http://secunia.com/advisories/32471", }, { source: "secalert@redhat.com", tags: [ "Broken Link", ], url: "http://secunia.com/advisories/33149", }, { source: "secalert@redhat.com", tags: [ "Broken Link", ], url: "http://secunia.com/advisories/33624", }, { source: "secalert@redhat.com", tags: [ "Broken Link", ], url: "http://secunia.com/advisories/36904", }, { source: "secalert@redhat.com", tags: [ "Third Party Advisory", ], url: "http://security.gentoo.org/glsa/glsa-200812-16.xml", }, { source: "secalert@redhat.com", tags: [ "Mailing List", "Release Notes", ], url: "http://www.dovecot.org/list/dovecot-news/2008-October/000085.html", }, { source: "secalert@redhat.com", tags: [ "Broken Link", ], url: "http://www.mandriva.com/security/advisories?name=MDVSA-2008:232", }, { source: "secalert@redhat.com", tags: [ "Broken Link", ], url: "http://www.redhat.com/support/errata/RHSA-2009-0205.html", }, { source: "secalert@redhat.com", tags: [ "Broken Link", "Third Party Advisory", "VDB Entry", ], url: "http://www.securityfocus.com/bid/31587", }, { source: "secalert@redhat.com", tags: [ "Third Party Advisory", ], url: "http://www.ubuntu.com/usn/USN-838-1", }, { source: "secalert@redhat.com", tags: [ "Permissions Required", ], url: "http://www.vupen.com/english/advisories/2008/2745", }, { source: "secalert@redhat.com", tags: [ "Broken Link", ], url: "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10376", }, { source: "secalert@redhat.com", tags: [ "Mailing List", ], url: "https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00816.html", }, { source: "secalert@redhat.com", tags: [ "Mailing List", ], url: "https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00844.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Issue Tracking", ], url: "http://bugs.gentoo.org/show_bug.cgi?id=240409", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", ], url: "http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Broken Link", "Vendor Advisory", ], url: "http://secunia.com/advisories/32164", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Broken Link", ], url: "http://secunia.com/advisories/32471", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Broken Link", ], url: "http://secunia.com/advisories/33149", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Broken Link", ], url: "http://secunia.com/advisories/33624", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Broken Link", ], url: "http://secunia.com/advisories/36904", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "http://security.gentoo.org/glsa/glsa-200812-16.xml", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Release Notes", ], url: "http://www.dovecot.org/list/dovecot-news/2008-October/000085.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Broken Link", ], url: "http://www.mandriva.com/security/advisories?name=MDVSA-2008:232", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Broken Link", ], url: "http://www.redhat.com/support/errata/RHSA-2009-0205.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Broken Link", "Third Party Advisory", "VDB Entry", ], url: "http://www.securityfocus.com/bid/31587", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "http://www.ubuntu.com/usn/USN-838-1", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Permissions Required", ], url: "http://www.vupen.com/english/advisories/2008/2745", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Broken Link", ], url: "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10376", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", ], url: "https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00816.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", ], url: "https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00844.html", }, ], sourceIdentifier: "secalert@redhat.com", vulnStatus: "Deferred", weaknesses: [ { description: [ { lang: "en", value: "CWE-863", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
gsd-2008-4577
Vulnerability from gsd
Modified
2023-12-13 01:23
Details
The ACL plugin in Dovecot before 1.1.4 treats negative access rights as if they are positive access rights, which allows attackers to bypass intended access restrictions.
Aliases
Aliases
{ GSD: { alias: "CVE-2008-4577", description: "The ACL plugin in Dovecot before 1.1.4 treats negative access rights as if they are positive access rights, which allows attackers to bypass intended access restrictions.", id: "GSD-2008-4577", references: [ "https://www.suse.com/security/cve/CVE-2008-4577.html", "https://access.redhat.com/errata/RHSA-2009:0205", "https://linux.oracle.com/cve/CVE-2008-4577.html", ], }, gsd: { metadata: { exploitCode: "unknown", remediation: "unknown", reportConfidence: "confirmed", type: "vulnerability", }, osvSchema: { aliases: [ "CVE-2008-4577", ], details: "The ACL plugin in Dovecot before 1.1.4 treats negative access rights as if they are positive access rights, which allows attackers to bypass intended access restrictions.", id: "GSD-2008-4577", modified: "2023-12-13T01:23:00.252007Z", schema_version: "1.4.0", }, }, namespaces: { "cve.org": { CVE_data_meta: { ASSIGNER: "secalert@redhat.com", ID: "CVE-2008-4577", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_affected: "=", version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "The ACL plugin in Dovecot before 1.1.4 treats negative access rights as if they are positive access rights, which allows attackers to bypass intended access restrictions.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html", refsource: "MISC", url: "http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html", }, { name: "http://bugs.gentoo.org/show_bug.cgi?id=240409", refsource: "MISC", url: "http://bugs.gentoo.org/show_bug.cgi?id=240409", }, { name: "http://secunia.com/advisories/32164", refsource: "MISC", url: "http://secunia.com/advisories/32164", }, { name: "http://secunia.com/advisories/32471", refsource: "MISC", url: "http://secunia.com/advisories/32471", }, { name: "http://secunia.com/advisories/33149", refsource: "MISC", url: "http://secunia.com/advisories/33149", }, { name: "http://secunia.com/advisories/33624", refsource: "MISC", url: "http://secunia.com/advisories/33624", }, { name: "http://secunia.com/advisories/36904", refsource: "MISC", url: "http://secunia.com/advisories/36904", }, { name: "http://security.gentoo.org/glsa/glsa-200812-16.xml", refsource: "MISC", url: "http://security.gentoo.org/glsa/glsa-200812-16.xml", }, { name: "http://www.dovecot.org/list/dovecot-news/2008-October/000085.html", refsource: "MISC", url: "http://www.dovecot.org/list/dovecot-news/2008-October/000085.html", }, { name: "http://www.mandriva.com/security/advisories?name=MDVSA-2008:232", refsource: "MISC", url: "http://www.mandriva.com/security/advisories?name=MDVSA-2008:232", }, { name: "http://www.redhat.com/support/errata/RHSA-2009-0205.html", refsource: "MISC", url: "http://www.redhat.com/support/errata/RHSA-2009-0205.html", }, { name: "http://www.securityfocus.com/bid/31587", refsource: "MISC", url: "http://www.securityfocus.com/bid/31587", }, { name: "http://www.ubuntu.com/usn/USN-838-1", refsource: "MISC", url: "http://www.ubuntu.com/usn/USN-838-1", }, { name: "http://www.vupen.com/english/advisories/2008/2745", refsource: "MISC", url: "http://www.vupen.com/english/advisories/2008/2745", }, { name: "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10376", refsource: "MISC", url: "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10376", }, { name: "https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00816.html", refsource: "MISC", url: "https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00816.html", }, { name: "https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00844.html", refsource: "MISC", url: "https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00844.html", }, ], }, }, "nvd.nist.gov": { cve: { configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:dovecot:dovecot:*:*:*:*:*:*:*:*", matchCriteriaId: "B084417D-FA5E-45DE-AA03-3932D9292B30", versionEndExcluding: "1.1.4", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:fedoraproject:fedora:8:*:*:*:*:*:*:*", matchCriteriaId: "72E4DB7F-07C3-46BB-AAA2-05CD0312C57F", vulnerable: true, }, { criteria: "cpe:2.3:o:fedoraproject:fedora:9:*:*:*:*:*:*:*", matchCriteriaId: "743CBBB1-C140-4FEF-B40E-FAE4511B1140", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:opensuse:opensuse:10.3-11.1:*:*:*:*:*:*:*", matchCriteriaId: "F7018930-D354-4B31-870E-D0E3CE19C8B5", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:canonical:ubuntu_linux:8.04:*:*:*:-:*:*:*", matchCriteriaId: "7EBFE35C-E243-43D1-883D-4398D71763CC", vulnerable: true, }, { criteria: "cpe:2.3:o:canonical:ubuntu_linux:8.10:*:*:*:*:*:*:*", matchCriteriaId: "4747CC68-FAF4-482F-929A-9DA6C24CB663", vulnerable: true, }, { criteria: "cpe:2.3:o:canonical:ubuntu_linux:9.04:*:*:*:*:*:*:*", matchCriteriaId: "A5D026D0-EF78-438D-BEDD-FC8571F3ACEB", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], descriptions: [ { lang: "en", value: "The ACL plugin in Dovecot before 1.1.4 treats negative access rights as if they are positive access rights, which allows attackers to bypass intended access restrictions.", }, { lang: "es", value: "El plugin ACL en Dovecot anterior a 1.1.4 amenaza los derechos del acceso negativo como si fueran derechos de acceso positivos, lo que permite a atacantes evitar las restricciones de acceso previstas.", }, ], id: "CVE-2008-4577", lastModified: "2024-01-21T02:46:56.287", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 6.4, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:N/C:P/I:P/A:N", version: "2.0", }, exploitabilityScore: 10, impactScore: 4.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2008-10-15T20:08:02.670", references: [ { source: "secalert@redhat.com", tags: [ "Issue Tracking", ], url: "http://bugs.gentoo.org/show_bug.cgi?id=240409", }, { source: "secalert@redhat.com", tags: [ "Mailing List", ], url: "http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html", }, { source: "secalert@redhat.com", tags: [ "Broken Link", "Vendor Advisory", ], url: "http://secunia.com/advisories/32164", }, { source: "secalert@redhat.com", tags: [ "Broken Link", ], url: "http://secunia.com/advisories/32471", }, { source: "secalert@redhat.com", tags: [ "Broken Link", ], url: "http://secunia.com/advisories/33149", }, { source: "secalert@redhat.com", tags: [ "Broken Link", ], url: "http://secunia.com/advisories/33624", }, { source: "secalert@redhat.com", tags: [ "Broken Link", ], url: "http://secunia.com/advisories/36904", }, { source: "secalert@redhat.com", tags: [ "Third Party Advisory", ], url: "http://security.gentoo.org/glsa/glsa-200812-16.xml", }, { source: "secalert@redhat.com", tags: [ "Mailing List", "Release Notes", ], url: "http://www.dovecot.org/list/dovecot-news/2008-October/000085.html", }, { source: "secalert@redhat.com", tags: [ "Broken Link", ], url: "http://www.mandriva.com/security/advisories?name=MDVSA-2008:232", }, { source: "secalert@redhat.com", tags: [ "Broken Link", ], url: "http://www.redhat.com/support/errata/RHSA-2009-0205.html", }, { source: "secalert@redhat.com", tags: [ "Broken Link", "Third Party Advisory", "VDB Entry", ], url: "http://www.securityfocus.com/bid/31587", }, { source: "secalert@redhat.com", tags: [ "Third Party Advisory", ], url: "http://www.ubuntu.com/usn/USN-838-1", }, { source: "secalert@redhat.com", tags: [ "Permissions Required", ], url: "http://www.vupen.com/english/advisories/2008/2745", }, { source: "secalert@redhat.com", tags: [ "Broken Link", ], url: "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10376", }, { source: "secalert@redhat.com", tags: [ "Mailing List", ], url: "https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00816.html", }, { source: "secalert@redhat.com", tags: [ "Mailing List", ], url: "https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00844.html", }, ], sourceIdentifier: "secalert@redhat.com", vulnStatus: "Analyzed", weaknesses: [ { description: [ { lang: "en", value: "CWE-863", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }, }, }, }
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.