Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2008-4870 (GCVE-0-2008-4870)
Vulnerability from cvelistv5 – Published: 2008-10-31 22:00 – Updated: 2024-08-07 10:31
VLAI
EPSS
Summary
dovecot 1.0.7 in Red Hat Enterprise Linux (RHEL) 5, and possibly Fedora, uses world-readable permissions for dovecot.conf, which allows local users to obtain the ssl_key_password parameter value.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
9 references
| URL | Tags |
|---|---|
| http://secunia.com/advisories/32164 | third-party-advisoryx_refsource_SECUNIA |
| http://www.openwall.com/lists/oss-security/2008/1… | mailing-listx_refsource_MLIST |
| http://secunia.com/advisories/33149 | third-party-advisoryx_refsource_SECUNIA |
| https://exchange.xforce.ibmcloud.com/vulnerabilit… | vdb-entryx_refsource_XF |
| https://bugzilla.redhat.com/show_bug.cgi?id=436287 | x_refsource_CONFIRM |
| http://security.gentoo.org/glsa/glsa-200812-16.xml | vendor-advisoryx_refsource_GENTOO |
| http://www.redhat.com/support/errata/RHSA-2009-02… | vendor-advisoryx_refsource_REDHAT |
| http://secunia.com/advisories/33624 | third-party-advisoryx_refsource_SECUNIA |
| https://oval.cisecurity.org/repository/search/def… | vdb-entrysignaturex_refsource_OVAL |
Date Public
2008-10-29 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T10:31:27.923Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "32164",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/32164"
},
{
"name": "[oss-security] 20081029 CVE Request (dovecot)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2008/10/29/10"
},
{
"name": "33149",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/33149"
},
{
"name": "dovecot-dovecot-information-disclosure(46323)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/46323"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=436287"
},
{
"name": "GLSA-200812-16",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "http://security.gentoo.org/glsa/glsa-200812-16.xml"
},
{
"name": "RHSA-2009:0205",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://www.redhat.com/support/errata/RHSA-2009-0205.html"
},
{
"name": "33624",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/33624"
},
{
"name": "oval:org.mitre.oval:def:10776",
"tags": [
"vdb-entry",
"signature",
"x_refsource_OVAL",
"x_transferred"
],
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10776"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2008-10-29T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "dovecot 1.0.7 in Red Hat Enterprise Linux (RHEL) 5, and possibly Fedora, uses world-readable permissions for dovecot.conf, which allows local users to obtain the ssl_key_password parameter value."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-09-28T12:57:01.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "32164",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/32164"
},
{
"name": "[oss-security] 20081029 CVE Request (dovecot)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2008/10/29/10"
},
{
"name": "33149",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/33149"
},
{
"name": "dovecot-dovecot-information-disclosure(46323)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/46323"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=436287"
},
{
"name": "GLSA-200812-16",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "http://security.gentoo.org/glsa/glsa-200812-16.xml"
},
{
"name": "RHSA-2009:0205",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://www.redhat.com/support/errata/RHSA-2009-0205.html"
},
{
"name": "33624",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/33624"
},
{
"name": "oval:org.mitre.oval:def:10776",
"tags": [
"vdb-entry",
"signature",
"x_refsource_OVAL"
],
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10776"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2008-4870",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "dovecot 1.0.7 in Red Hat Enterprise Linux (RHEL) 5, and possibly Fedora, uses world-readable permissions for dovecot.conf, which allows local users to obtain the ssl_key_password parameter value."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "32164",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/32164"
},
{
"name": "[oss-security] 20081029 CVE Request (dovecot)",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2008/10/29/10"
},
{
"name": "33149",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/33149"
},
{
"name": "dovecot-dovecot-information-disclosure(46323)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/46323"
},
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=436287",
"refsource": "CONFIRM",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=436287"
},
{
"name": "GLSA-200812-16",
"refsource": "GENTOO",
"url": "http://security.gentoo.org/glsa/glsa-200812-16.xml"
},
{
"name": "RHSA-2009:0205",
"refsource": "REDHAT",
"url": "http://www.redhat.com/support/errata/RHSA-2009-0205.html"
},
{
"name": "33624",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/33624"
},
{
"name": "oval:org.mitre.oval:def:10776",
"refsource": "OVAL",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10776"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2008-4870",
"datePublished": "2008-10-31T22:00:00.000Z",
"dateReserved": "2008-10-31T00:00:00.000Z",
"dateUpdated": "2024-08-07T10:31:27.923Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2008-4870",
"date": "2026-06-08",
"epss": "0.0004",
"percentile": "0.12537"
},
"fkie_nvd": {
"configurations": "[{\"operator\": \"AND\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:dovecot:dovecot:1.0.7:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"4A349510-4D00-4978-93D9-3F9F5E0CD8DE\"}]}, {\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": false, \"criteria\": \"cpe:2.3:o:redhat:enterprise_linux:5.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"1D8B549B-E57B-4DFE-8A13-CAB06B5356B3\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"dovecot 1.0.7 in Red Hat Enterprise Linux (RHEL) 5, and possibly Fedora, uses world-readable permissions for dovecot.conf, which allows local users to obtain the ssl_key_password parameter value.\"}, {\"lang\": \"es\", \"value\": \"dovecot 1.0.7 en Red Hat Enterprise Linux (RHEL) 5 y posiblemente Fedora, utiliza permisos le\\u00edbles por todo el mundo para dovecot.conf, lo que permite a usuarios locales obtener el valor del par\\u00e1metro ssl_key_password.\"}]",
"id": "CVE-2008-4870",
"lastModified": "2024-11-21T00:52:43.197",
"metrics": "{\"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:L/AC:L/Au:N/C:P/I:N/A:N\", \"baseScore\": 2.1, \"accessVector\": \"LOCAL\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"LOW\", \"exploitabilityScore\": 3.9, \"impactScore\": 2.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
"published": "2008-11-01T00:00:01.273",
"references": "[{\"url\": \"http://secunia.com/advisories/32164\", \"source\": \"cve@mitre.org\", \"tags\": [\"Broken Link\"]}, {\"url\": \"http://secunia.com/advisories/33149\", \"source\": \"cve@mitre.org\", \"tags\": [\"Broken Link\"]}, {\"url\": \"http://secunia.com/advisories/33624\", \"source\": \"cve@mitre.org\", \"tags\": [\"Broken Link\"]}, {\"url\": \"http://security.gentoo.org/glsa/glsa-200812-16.xml\", \"source\": \"cve@mitre.org\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"http://www.openwall.com/lists/oss-security/2008/10/29/10\", \"source\": \"cve@mitre.org\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"http://www.redhat.com/support/errata/RHSA-2009-0205.html\", \"source\": \"cve@mitre.org\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=436287\", \"source\": \"cve@mitre.org\", \"tags\": [\"Issue Tracking\", \"Third Party Advisory\"]}, {\"url\": \"https://exchange.xforce.ibmcloud.com/vulnerabilities/46323\", \"source\": \"cve@mitre.org\", \"tags\": [\"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10776\", \"source\": \"cve@mitre.org\", \"tags\": [\"Tool Signature\"]}, {\"url\": \"http://secunia.com/advisories/32164\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Broken Link\"]}, {\"url\": \"http://secunia.com/advisories/33149\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Broken Link\"]}, {\"url\": \"http://secunia.com/advisories/33624\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Broken Link\"]}, {\"url\": \"http://security.gentoo.org/glsa/glsa-200812-16.xml\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"http://www.openwall.com/lists/oss-security/2008/10/29/10\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"http://www.redhat.com/support/errata/RHSA-2009-0205.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=436287\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Issue Tracking\", \"Third Party Advisory\"]}, {\"url\": \"https://exchange.xforce.ibmcloud.com/vulnerabilities/46323\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10776\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Tool Signature\"]}]",
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-732\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2008-4870\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2008-11-01T00:00:01.273\",\"lastModified\":\"2026-04-23T00:35:47.467\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"dovecot 1.0.7 in Red Hat Enterprise Linux (RHEL) 5, and possibly Fedora, uses world-readable permissions for dovecot.conf, which allows local users to obtain the ssl_key_password parameter value.\"},{\"lang\":\"es\",\"value\":\"dovecot 1.0.7 en Red Hat Enterprise Linux (RHEL) 5 y posiblemente Fedora, utiliza permisos le\u00edbles por todo el mundo para dovecot.conf, lo que permite a usuarios locales obtener el valor del par\u00e1metro ssl_key_password.\"}],\"metrics\":{\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:L/AC:L/Au:N/C:P/I:N/A:N\",\"baseScore\":2.1,\"accessVector\":\"LOCAL\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"LOW\",\"exploitabilityScore\":3.9,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-732\"}]}],\"configurations\":[{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:dovecot:dovecot:1.0.7:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"4A349510-4D00-4978-93D9-3F9F5E0CD8DE\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:o:redhat:enterprise_linux:5.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"1D8B549B-E57B-4DFE-8A13-CAB06B5356B3\"}]}]}],\"references\":[{\"url\":\"http://secunia.com/advisories/32164\",\"source\":\"cve@mitre.org\",\"tags\":[\"Broken Link\"]},{\"url\":\"http://secunia.com/advisories/33149\",\"source\":\"cve@mitre.org\",\"tags\":[\"Broken Link\"]},{\"url\":\"http://secunia.com/advisories/33624\",\"source\":\"cve@mitre.org\",\"tags\":[\"Broken Link\"]},{\"url\":\"http://security.gentoo.org/glsa/glsa-200812-16.xml\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2008/10/29/10\",\"source\":\"cve@mitre.org\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://www.redhat.com/support/errata/RHSA-2009-0205.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=436287\",\"source\":\"cve@mitre.org\",\"tags\":[\"Issue Tracking\",\"Third Party Advisory\"]},{\"url\":\"https://exchange.xforce.ibmcloud.com/vulnerabilities/46323\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10776\",\"source\":\"cve@mitre.org\",\"tags\":[\"Tool Signature\"]},{\"url\":\"http://secunia.com/advisories/32164\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Broken Link\"]},{\"url\":\"http://secunia.com/advisories/33149\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Broken Link\"]},{\"url\":\"http://secunia.com/advisories/33624\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Broken Link\"]},{\"url\":\"http://security.gentoo.org/glsa/glsa-200812-16.xml\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2008/10/29/10\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://www.redhat.com/support/errata/RHSA-2009-0205.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=436287\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Issue Tracking\",\"Third Party Advisory\"]},{\"url\":\"https://exchange.xforce.ibmcloud.com/vulnerabilities/46323\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10776\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Tool Signature\"]}]}}"
}
}
FKIE_CVE-2008-4870
Vulnerability from fkie_nvd - Published: 2008-11-01 00:00 - Updated: 2026-04-23 00:35
Severity
Summary
dovecot 1.0.7 in Red Hat Enterprise Linux (RHEL) 5, and possibly Fedora, uses world-readable permissions for dovecot.conf, which allows local users to obtain the ssl_key_password parameter value.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| dovecot | dovecot | 1.0.7 | |
| redhat | enterprise_linux | 5.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "4A349510-4D00-4978-93D9-3F9F5E0CD8DE",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:redhat:enterprise_linux:5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "1D8B549B-E57B-4DFE-8A13-CAB06B5356B3",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "dovecot 1.0.7 in Red Hat Enterprise Linux (RHEL) 5, and possibly Fedora, uses world-readable permissions for dovecot.conf, which allows local users to obtain the ssl_key_password parameter value."
},
{
"lang": "es",
"value": "dovecot 1.0.7 en Red Hat Enterprise Linux (RHEL) 5 y posiblemente Fedora, utiliza permisos le\u00edbles por todo el mundo para dovecot.conf, lo que permite a usuarios locales obtener el valor del par\u00e1metro ssl_key_password."
}
],
"id": "CVE-2008-4870",
"lastModified": "2026-04-23T00:35:47.467",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 2.1,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 3.9,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2008-11-01T00:00:01.273",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Broken Link"
],
"url": "http://secunia.com/advisories/32164"
},
{
"source": "cve@mitre.org",
"tags": [
"Broken Link"
],
"url": "http://secunia.com/advisories/33149"
},
{
"source": "cve@mitre.org",
"tags": [
"Broken Link"
],
"url": "http://secunia.com/advisories/33624"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "http://security.gentoo.org/glsa/glsa-200812-16.xml"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2008/10/29/10"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "http://www.redhat.com/support/errata/RHSA-2009-0205.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=436287"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/46323"
},
{
"source": "cve@mitre.org",
"tags": [
"Tool Signature"
],
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10776"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "http://secunia.com/advisories/32164"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "http://secunia.com/advisories/33149"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "http://secunia.com/advisories/33624"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://security.gentoo.org/glsa/glsa-200812-16.xml"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2008/10/29/10"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://www.redhat.com/support/errata/RHSA-2009-0205.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=436287"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/46323"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Tool Signature"
],
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10776"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-732"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
GHSA-7HP8-2G4V-FC2H
Vulnerability from github – Published: 2022-05-13 01:03 – Updated: 2022-05-13 01:03
VLAI
Details
dovecot 1.0.7 in Red Hat Enterprise Linux (RHEL) 5, and possibly Fedora, uses world-readable permissions for dovecot.conf, which allows local users to obtain the ssl_key_password parameter value.
{
"affected": [],
"aliases": [
"CVE-2008-4870"
],
"database_specific": {
"cwe_ids": [
"CWE-732"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2008-11-01T00:00:00Z",
"severity": "LOW"
},
"details": "dovecot 1.0.7 in Red Hat Enterprise Linux (RHEL) 5, and possibly Fedora, uses world-readable permissions for dovecot.conf, which allows local users to obtain the ssl_key_password parameter value.",
"id": "GHSA-7hp8-2g4v-fc2h",
"modified": "2022-05-13T01:03:59Z",
"published": "2022-05-13T01:03:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2008-4870"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=436287"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/46323"
},
{
"type": "WEB",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10776"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/32164"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/33149"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/33624"
},
{
"type": "WEB",
"url": "http://security.gentoo.org/glsa/glsa-200812-16.xml"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2008/10/29/10"
},
{
"type": "WEB",
"url": "http://www.redhat.com/support/errata/RHSA-2009-0205.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GSD-2008-4870
Vulnerability from gsd - Updated: 2023-12-13 01:23Details
dovecot 1.0.7 in Red Hat Enterprise Linux (RHEL) 5, and possibly Fedora, uses world-readable permissions for dovecot.conf, which allows local users to obtain the ssl_key_password parameter value.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2008-4870",
"description": "dovecot 1.0.7 in Red Hat Enterprise Linux (RHEL) 5, and possibly Fedora, uses world-readable permissions for dovecot.conf, which allows local users to obtain the ssl_key_password parameter value.",
"id": "GSD-2008-4870",
"references": [
"https://www.suse.com/security/cve/CVE-2008-4870.html",
"https://access.redhat.com/errata/RHSA-2009:0205",
"https://linux.oracle.com/cve/CVE-2008-4870.html"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2008-4870"
],
"details": "dovecot 1.0.7 in Red Hat Enterprise Linux (RHEL) 5, and possibly Fedora, uses world-readable permissions for dovecot.conf, which allows local users to obtain the ssl_key_password parameter value.",
"id": "GSD-2008-4870",
"modified": "2023-12-13T01:23:00.182027Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2008-4870",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "dovecot 1.0.7 in Red Hat Enterprise Linux (RHEL) 5, and possibly Fedora, uses world-readable permissions for dovecot.conf, which allows local users to obtain the ssl_key_password parameter value."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "32164",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/32164"
},
{
"name": "[oss-security] 20081029 CVE Request (dovecot)",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2008/10/29/10"
},
{
"name": "33149",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/33149"
},
{
"name": "dovecot-dovecot-information-disclosure(46323)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/46323"
},
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=436287",
"refsource": "CONFIRM",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=436287"
},
{
"name": "GLSA-200812-16",
"refsource": "GENTOO",
"url": "http://security.gentoo.org/glsa/glsa-200812-16.xml"
},
{
"name": "RHSA-2009:0205",
"refsource": "REDHAT",
"url": "http://www.redhat.com/support/errata/RHSA-2009-0205.html"
},
{
"name": "33624",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/33624"
},
{
"name": "oval:org.mitre.oval:def:10776",
"refsource": "OVAL",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10776"
}
]
}
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:dovecot:dovecot:1.0.7:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:redhat:enterprise_linux:5.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2008-4870"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "dovecot 1.0.7 in Red Hat Enterprise Linux (RHEL) 5, and possibly Fedora, uses world-readable permissions for dovecot.conf, which allows local users to obtain the ssl_key_password parameter value."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-732"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=436287",
"refsource": "CONFIRM",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=436287"
},
{
"name": "[oss-security] 20081029 CVE Request (dovecot)",
"refsource": "MLIST",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2008/10/29/10"
},
{
"name": "GLSA-200812-16",
"refsource": "GENTOO",
"tags": [
"Third Party Advisory"
],
"url": "http://security.gentoo.org/glsa/glsa-200812-16.xml"
},
{
"name": "33149",
"refsource": "SECUNIA",
"tags": [
"Broken Link"
],
"url": "http://secunia.com/advisories/33149"
},
{
"name": "RHSA-2009:0205",
"refsource": "REDHAT",
"tags": [
"Third Party Advisory"
],
"url": "http://www.redhat.com/support/errata/RHSA-2009-0205.html"
},
{
"name": "32164",
"refsource": "SECUNIA",
"tags": [
"Broken Link"
],
"url": "http://secunia.com/advisories/32164"
},
{
"name": "33624",
"refsource": "SECUNIA",
"tags": [
"Broken Link"
],
"url": "http://secunia.com/advisories/33624"
},
{
"name": "dovecot-dovecot-information-disclosure(46323)",
"refsource": "XF",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/46323"
},
{
"name": "oval:org.mitre.oval:def:10776",
"refsource": "OVAL",
"tags": [
"Tool Signature"
],
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10776"
}
]
}
},
"impact": {
"baseMetricV2": {
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 2.1,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 3.9,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "LOW",
"userInteractionRequired": false
}
},
"lastModifiedDate": "2022-02-03T19:58Z",
"publishedDate": "2008-11-01T00:00Z"
}
}
}
RHSA-2009:0205
Vulnerability from csaf_redhat - Published: 2009-01-20 15:45 - Updated: 2025-11-21 17:34Summary
Red Hat Security Advisory: dovecot security and bug fix update
Severity
Low
Notes
Topic: An updated dovecot package that corrects two security flaws and various bugs
is now available for Red Hat Enterprise Linux 5.
This update has been rated as having low security impact by the Red Hat
Security Response Team.
Details: Dovecot is an IMAP server for Linux and UNIX-like systems, primarily
written with security in mind.
A flaw was found in Dovecot's ACL plug-in. The ACL plug-in treated negative
access rights as positive rights, which could allow an attacker to bypass
intended access restrictions. (CVE-2008-4577)
A password disclosure flaw was found with Dovecot's configuration file. If
a system had the "ssl_key_password" option defined, any local user could
view the SSL key password. (CVE-2008-4870)
Note: This flaw did not allow the attacker to acquire the contents of the
SSL key. The password has no value without the key file which arbitrary
users should not have read access to.
To better protect even this value, however, the dovecot.conf file now
supports the "!include_try" directive. The ssl_key_password option should
be moved from dovecot.conf to a new file owned by, and only readable and
writable by, root (ie 0600). This file should be referenced from
dovecot.conf by setting the "!include_try [/path/to/password/file]" option.
Additionally, this update addresses the following bugs:
* the dovecot init script -- /etc/rc.d/init.d/dovecot -- did not check if
the dovecot binary or configuration files existed. It also used the wrong
pid file for checking the dovecot service's status. This update includes a
new init script that corrects these errors.
* the %files section of the dovecot spec file did not include "%dir
%{ssldir}/private". As a consequence, the /etc/pki/private/ directory was
not owned by dovecot. (Note: files inside /etc/pki/private/ were and are
owned by dovecot.) With this update, the missing line has been added to the
spec file, and the noted directory is now owned by dovecot.
* in some previously released versions of dovecot, the authentication
process accepted (and passed along un-escaped) passwords containing
characters that had special meaning to dovecot's internal protocols. This
updated release prevents such passwords from being passed back, instead
returning the error, "Attempted login with password having illegal chars".
Note: dovecot versions previously shipped with Red Hat Enterprise Linux 5
did not allow this behavior. This update addresses the issue above but said
issue was only present in versions of dovecot not previously included with
Red Hat Enterprise Linux 5.
Users of dovecot are advised to upgrade to this updated package, which
addresses these vulnerabilities and resolves these issues.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
The ACL plugin in Dovecot before 1.1.4 treats negative access rights as if they are positive access rights, which allows attackers to bypass intended access restrictions.
3.6 ()
Affected products
Fixed
22 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 5Client-Workstation:dovecot-0:1.0.7-7.el5.i386 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 5Client-Workstation:dovecot-0:1.0.7-7.el5.ia64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 5Client-Workstation:dovecot-0:1.0.7-7.el5.ppc | — |
Vendor Fix
fix
|
|
| Unresolved product id: 5Client-Workstation:dovecot-0:1.0.7-7.el5.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 5Client-Workstation:dovecot-0:1.0.7-7.el5.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 5Client-Workstation:dovecot-0:1.0.7-7.el5.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.i386 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.ia64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.ppc | — |
Vendor Fix
fix
|
|
| Unresolved product id: 5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 5Server:dovecot-0:1.0.7-7.el5.i386 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 5Server:dovecot-0:1.0.7-7.el5.ia64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 5Server:dovecot-0:1.0.7-7.el5.ppc | — |
Vendor Fix
fix
|
|
| Unresolved product id: 5Server:dovecot-0:1.0.7-7.el5.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 5Server:dovecot-0:1.0.7-7.el5.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 5Server:dovecot-0:1.0.7-7.el5.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 5Server:dovecot-debuginfo-0:1.0.7-7.el5.i386 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 5Server:dovecot-debuginfo-0:1.0.7-7.el5.ia64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 5Server:dovecot-debuginfo-0:1.0.7-7.el5.ppc | — |
Vendor Fix
fix
|
|
| Unresolved product id: 5Server:dovecot-debuginfo-0:1.0.7-7.el5.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 5Server:dovecot-debuginfo-0:1.0.7-7.el5.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Low
dovecot 1.0.7 in Red Hat Enterprise Linux (RHEL) 5, and possibly Fedora, uses world-readable permissions for dovecot.conf, which allows local users to obtain the ssl_key_password parameter value.
Affected products
Fixed
22 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 5Client-Workstation:dovecot-0:1.0.7-7.el5.i386 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 5Client-Workstation:dovecot-0:1.0.7-7.el5.ia64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 5Client-Workstation:dovecot-0:1.0.7-7.el5.ppc | — |
Vendor Fix
fix
|
|
| Unresolved product id: 5Client-Workstation:dovecot-0:1.0.7-7.el5.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 5Client-Workstation:dovecot-0:1.0.7-7.el5.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 5Client-Workstation:dovecot-0:1.0.7-7.el5.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.i386 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.ia64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.ppc | — |
Vendor Fix
fix
|
|
| Unresolved product id: 5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 5Server:dovecot-0:1.0.7-7.el5.i386 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 5Server:dovecot-0:1.0.7-7.el5.ia64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 5Server:dovecot-0:1.0.7-7.el5.ppc | — |
Vendor Fix
fix
|
|
| Unresolved product id: 5Server:dovecot-0:1.0.7-7.el5.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 5Server:dovecot-0:1.0.7-7.el5.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 5Server:dovecot-0:1.0.7-7.el5.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 5Server:dovecot-debuginfo-0:1.0.7-7.el5.i386 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 5Server:dovecot-debuginfo-0:1.0.7-7.el5.ia64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 5Server:dovecot-debuginfo-0:1.0.7-7.el5.ppc | — |
Vendor Fix
fix
|
|
| Unresolved product id: 5Server:dovecot-debuginfo-0:1.0.7-7.el5.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 5Server:dovecot-debuginfo-0:1.0.7-7.el5.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Low
References
17 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Low"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An updated dovecot package that corrects two security flaws and various bugs\nis now available for Red Hat Enterprise Linux 5.\n\nThis update has been rated as having low security impact by the Red Hat\nSecurity Response Team.",
"title": "Topic"
},
{
"category": "general",
"text": "Dovecot is an IMAP server for Linux and UNIX-like systems, primarily\nwritten with security in mind.\n\nA flaw was found in Dovecot\u0027s ACL plug-in. The ACL plug-in treated negative\naccess rights as positive rights, which could allow an attacker to bypass\nintended access restrictions. (CVE-2008-4577)\n\nA password disclosure flaw was found with Dovecot\u0027s configuration file. If\na system had the \"ssl_key_password\" option defined, any local user could\nview the SSL key password. (CVE-2008-4870)\n\nNote: This flaw did not allow the attacker to acquire the contents of the\nSSL key. The password has no value without the key file which arbitrary\nusers should not have read access to.\n\nTo better protect even this value, however, the dovecot.conf file now\nsupports the \"!include_try\" directive. The ssl_key_password option should\nbe moved from dovecot.conf to a new file owned by, and only readable and\nwritable by, root (ie 0600). This file should be referenced from\ndovecot.conf by setting the \"!include_try [/path/to/password/file]\" option.\n\nAdditionally, this update addresses the following bugs:\n\n* the dovecot init script -- /etc/rc.d/init.d/dovecot -- did not check if\nthe dovecot binary or configuration files existed. It also used the wrong\npid file for checking the dovecot service\u0027s status. This update includes a\nnew init script that corrects these errors.\n\n* the %files section of the dovecot spec file did not include \"%dir\n%{ssldir}/private\". As a consequence, the /etc/pki/private/ directory was\nnot owned by dovecot. (Note: files inside /etc/pki/private/ were and are\nowned by dovecot.) With this update, the missing line has been added to the\nspec file, and the noted directory is now owned by dovecot.\n\n* in some previously released versions of dovecot, the authentication\nprocess accepted (and passed along un-escaped) passwords containing\ncharacters that had special meaning to dovecot\u0027s internal protocols. This\nupdated release prevents such passwords from being passed back, instead\nreturning the error, \"Attempted login with password having illegal chars\".\n\nNote: dovecot versions previously shipped with Red Hat Enterprise Linux 5\ndid not allow this behavior. This update addresses the issue above but said\nissue was only present in versions of dovecot not previously included with\nRed Hat Enterprise Linux 5.\n\nUsers of dovecot are advised to upgrade to this updated package, which\naddresses these vulnerabilities and resolves these issues.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2009:0205",
"url": "https://access.redhat.com/errata/RHSA-2009:0205"
},
{
"category": "external",
"summary": "http://www.redhat.com/security/updates/classification/#low",
"url": "http://www.redhat.com/security/updates/classification/#low"
},
{
"category": "external",
"summary": "238016",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=238016"
},
{
"category": "external",
"summary": "436287",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=436287"
},
{
"category": "external",
"summary": "439369",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=439369"
},
{
"category": "external",
"summary": "448089",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=448089"
},
{
"category": "external",
"summary": "467436",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=467436"
},
{
"category": "external",
"summary": "469659",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=469659"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2009/rhsa-2009_0205.json"
}
],
"title": "Red Hat Security Advisory: dovecot security and bug fix update",
"tracking": {
"current_release_date": "2025-11-21T17:34:11+00:00",
"generator": {
"date": "2025-11-21T17:34:11+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.12"
}
},
"id": "RHSA-2009:0205",
"initial_release_date": "2009-01-20T15:45:00+00:00",
"revision_history": [
{
"date": "2009-01-20T15:45:00+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2009-01-20T11:06:11+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-11-21T17:34:11+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux Desktop Workstation (v. 5 client)",
"product": {
"name": "Red Hat Enterprise Linux Desktop Workstation (v. 5 client)",
"product_id": "5Client-Workstation",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:5::client_workstation"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux (v. 5 server)",
"product": {
"name": "Red Hat Enterprise Linux (v. 5 server)",
"product_id": "5Server",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:5::server"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "dovecot-0:1.0.7-7.el5.src",
"product": {
"name": "dovecot-0:1.0.7-7.el5.src",
"product_id": "dovecot-0:1.0.7-7.el5.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/dovecot@1.0.7-7.el5?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "dovecot-0:1.0.7-7.el5.x86_64",
"product": {
"name": "dovecot-0:1.0.7-7.el5.x86_64",
"product_id": "dovecot-0:1.0.7-7.el5.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/dovecot@1.0.7-7.el5?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "dovecot-debuginfo-0:1.0.7-7.el5.x86_64",
"product": {
"name": "dovecot-debuginfo-0:1.0.7-7.el5.x86_64",
"product_id": "dovecot-debuginfo-0:1.0.7-7.el5.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/dovecot-debuginfo@1.0.7-7.el5?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "dovecot-0:1.0.7-7.el5.i386",
"product": {
"name": "dovecot-0:1.0.7-7.el5.i386",
"product_id": "dovecot-0:1.0.7-7.el5.i386",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/dovecot@1.0.7-7.el5?arch=i386"
}
}
},
{
"category": "product_version",
"name": "dovecot-debuginfo-0:1.0.7-7.el5.i386",
"product": {
"name": "dovecot-debuginfo-0:1.0.7-7.el5.i386",
"product_id": "dovecot-debuginfo-0:1.0.7-7.el5.i386",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/dovecot-debuginfo@1.0.7-7.el5?arch=i386"
}
}
}
],
"category": "architecture",
"name": "i386"
},
{
"branches": [
{
"category": "product_version",
"name": "dovecot-0:1.0.7-7.el5.ia64",
"product": {
"name": "dovecot-0:1.0.7-7.el5.ia64",
"product_id": "dovecot-0:1.0.7-7.el5.ia64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/dovecot@1.0.7-7.el5?arch=ia64"
}
}
},
{
"category": "product_version",
"name": "dovecot-debuginfo-0:1.0.7-7.el5.ia64",
"product": {
"name": "dovecot-debuginfo-0:1.0.7-7.el5.ia64",
"product_id": "dovecot-debuginfo-0:1.0.7-7.el5.ia64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/dovecot-debuginfo@1.0.7-7.el5?arch=ia64"
}
}
}
],
"category": "architecture",
"name": "ia64"
},
{
"branches": [
{
"category": "product_version",
"name": "dovecot-0:1.0.7-7.el5.ppc",
"product": {
"name": "dovecot-0:1.0.7-7.el5.ppc",
"product_id": "dovecot-0:1.0.7-7.el5.ppc",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/dovecot@1.0.7-7.el5?arch=ppc"
}
}
},
{
"category": "product_version",
"name": "dovecot-debuginfo-0:1.0.7-7.el5.ppc",
"product": {
"name": "dovecot-debuginfo-0:1.0.7-7.el5.ppc",
"product_id": "dovecot-debuginfo-0:1.0.7-7.el5.ppc",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/dovecot-debuginfo@1.0.7-7.el5?arch=ppc"
}
}
}
],
"category": "architecture",
"name": "ppc"
},
{
"branches": [
{
"category": "product_version",
"name": "dovecot-0:1.0.7-7.el5.s390x",
"product": {
"name": "dovecot-0:1.0.7-7.el5.s390x",
"product_id": "dovecot-0:1.0.7-7.el5.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/dovecot@1.0.7-7.el5?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "dovecot-debuginfo-0:1.0.7-7.el5.s390x",
"product": {
"name": "dovecot-debuginfo-0:1.0.7-7.el5.s390x",
"product_id": "dovecot-debuginfo-0:1.0.7-7.el5.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/dovecot-debuginfo@1.0.7-7.el5?arch=s390x"
}
}
}
],
"category": "architecture",
"name": "s390x"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "dovecot-0:1.0.7-7.el5.i386 as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)",
"product_id": "5Client-Workstation:dovecot-0:1.0.7-7.el5.i386"
},
"product_reference": "dovecot-0:1.0.7-7.el5.i386",
"relates_to_product_reference": "5Client-Workstation"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "dovecot-0:1.0.7-7.el5.ia64 as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)",
"product_id": "5Client-Workstation:dovecot-0:1.0.7-7.el5.ia64"
},
"product_reference": "dovecot-0:1.0.7-7.el5.ia64",
"relates_to_product_reference": "5Client-Workstation"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "dovecot-0:1.0.7-7.el5.ppc as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)",
"product_id": "5Client-Workstation:dovecot-0:1.0.7-7.el5.ppc"
},
"product_reference": "dovecot-0:1.0.7-7.el5.ppc",
"relates_to_product_reference": "5Client-Workstation"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "dovecot-0:1.0.7-7.el5.s390x as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)",
"product_id": "5Client-Workstation:dovecot-0:1.0.7-7.el5.s390x"
},
"product_reference": "dovecot-0:1.0.7-7.el5.s390x",
"relates_to_product_reference": "5Client-Workstation"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "dovecot-0:1.0.7-7.el5.src as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)",
"product_id": "5Client-Workstation:dovecot-0:1.0.7-7.el5.src"
},
"product_reference": "dovecot-0:1.0.7-7.el5.src",
"relates_to_product_reference": "5Client-Workstation"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "dovecot-0:1.0.7-7.el5.x86_64 as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)",
"product_id": "5Client-Workstation:dovecot-0:1.0.7-7.el5.x86_64"
},
"product_reference": "dovecot-0:1.0.7-7.el5.x86_64",
"relates_to_product_reference": "5Client-Workstation"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "dovecot-debuginfo-0:1.0.7-7.el5.i386 as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)",
"product_id": "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.i386"
},
"product_reference": "dovecot-debuginfo-0:1.0.7-7.el5.i386",
"relates_to_product_reference": "5Client-Workstation"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "dovecot-debuginfo-0:1.0.7-7.el5.ia64 as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)",
"product_id": "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.ia64"
},
"product_reference": "dovecot-debuginfo-0:1.0.7-7.el5.ia64",
"relates_to_product_reference": "5Client-Workstation"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "dovecot-debuginfo-0:1.0.7-7.el5.ppc as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)",
"product_id": "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.ppc"
},
"product_reference": "dovecot-debuginfo-0:1.0.7-7.el5.ppc",
"relates_to_product_reference": "5Client-Workstation"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "dovecot-debuginfo-0:1.0.7-7.el5.s390x as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)",
"product_id": "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.s390x"
},
"product_reference": "dovecot-debuginfo-0:1.0.7-7.el5.s390x",
"relates_to_product_reference": "5Client-Workstation"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "dovecot-debuginfo-0:1.0.7-7.el5.x86_64 as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)",
"product_id": "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.x86_64"
},
"product_reference": "dovecot-debuginfo-0:1.0.7-7.el5.x86_64",
"relates_to_product_reference": "5Client-Workstation"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "dovecot-0:1.0.7-7.el5.i386 as a component of Red Hat Enterprise Linux (v. 5 server)",
"product_id": "5Server:dovecot-0:1.0.7-7.el5.i386"
},
"product_reference": "dovecot-0:1.0.7-7.el5.i386",
"relates_to_product_reference": "5Server"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "dovecot-0:1.0.7-7.el5.ia64 as a component of Red Hat Enterprise Linux (v. 5 server)",
"product_id": "5Server:dovecot-0:1.0.7-7.el5.ia64"
},
"product_reference": "dovecot-0:1.0.7-7.el5.ia64",
"relates_to_product_reference": "5Server"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "dovecot-0:1.0.7-7.el5.ppc as a component of Red Hat Enterprise Linux (v. 5 server)",
"product_id": "5Server:dovecot-0:1.0.7-7.el5.ppc"
},
"product_reference": "dovecot-0:1.0.7-7.el5.ppc",
"relates_to_product_reference": "5Server"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "dovecot-0:1.0.7-7.el5.s390x as a component of Red Hat Enterprise Linux (v. 5 server)",
"product_id": "5Server:dovecot-0:1.0.7-7.el5.s390x"
},
"product_reference": "dovecot-0:1.0.7-7.el5.s390x",
"relates_to_product_reference": "5Server"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "dovecot-0:1.0.7-7.el5.src as a component of Red Hat Enterprise Linux (v. 5 server)",
"product_id": "5Server:dovecot-0:1.0.7-7.el5.src"
},
"product_reference": "dovecot-0:1.0.7-7.el5.src",
"relates_to_product_reference": "5Server"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "dovecot-0:1.0.7-7.el5.x86_64 as a component of Red Hat Enterprise Linux (v. 5 server)",
"product_id": "5Server:dovecot-0:1.0.7-7.el5.x86_64"
},
"product_reference": "dovecot-0:1.0.7-7.el5.x86_64",
"relates_to_product_reference": "5Server"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "dovecot-debuginfo-0:1.0.7-7.el5.i386 as a component of Red Hat Enterprise Linux (v. 5 server)",
"product_id": "5Server:dovecot-debuginfo-0:1.0.7-7.el5.i386"
},
"product_reference": "dovecot-debuginfo-0:1.0.7-7.el5.i386",
"relates_to_product_reference": "5Server"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "dovecot-debuginfo-0:1.0.7-7.el5.ia64 as a component of Red Hat Enterprise Linux (v. 5 server)",
"product_id": "5Server:dovecot-debuginfo-0:1.0.7-7.el5.ia64"
},
"product_reference": "dovecot-debuginfo-0:1.0.7-7.el5.ia64",
"relates_to_product_reference": "5Server"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "dovecot-debuginfo-0:1.0.7-7.el5.ppc as a component of Red Hat Enterprise Linux (v. 5 server)",
"product_id": "5Server:dovecot-debuginfo-0:1.0.7-7.el5.ppc"
},
"product_reference": "dovecot-debuginfo-0:1.0.7-7.el5.ppc",
"relates_to_product_reference": "5Server"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "dovecot-debuginfo-0:1.0.7-7.el5.s390x as a component of Red Hat Enterprise Linux (v. 5 server)",
"product_id": "5Server:dovecot-debuginfo-0:1.0.7-7.el5.s390x"
},
"product_reference": "dovecot-debuginfo-0:1.0.7-7.el5.s390x",
"relates_to_product_reference": "5Server"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "dovecot-debuginfo-0:1.0.7-7.el5.x86_64 as a component of Red Hat Enterprise Linux (v. 5 server)",
"product_id": "5Server:dovecot-debuginfo-0:1.0.7-7.el5.x86_64"
},
"product_reference": "dovecot-debuginfo-0:1.0.7-7.el5.x86_64",
"relates_to_product_reference": "5Server"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2008-4577",
"discovery_date": "2008-10-07T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "467436"
}
],
"notes": [
{
"category": "description",
"text": "The ACL plugin in Dovecot before 1.1.4 treats negative access rights as if they are positive access rights, which allows attackers to bypass intended access restrictions.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "dovecot: incorrect handling of negative rights in the ACL plugin",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"5Client-Workstation:dovecot-0:1.0.7-7.el5.i386",
"5Client-Workstation:dovecot-0:1.0.7-7.el5.ia64",
"5Client-Workstation:dovecot-0:1.0.7-7.el5.ppc",
"5Client-Workstation:dovecot-0:1.0.7-7.el5.s390x",
"5Client-Workstation:dovecot-0:1.0.7-7.el5.src",
"5Client-Workstation:dovecot-0:1.0.7-7.el5.x86_64",
"5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.i386",
"5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.ia64",
"5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.ppc",
"5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.s390x",
"5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.x86_64",
"5Server:dovecot-0:1.0.7-7.el5.i386",
"5Server:dovecot-0:1.0.7-7.el5.ia64",
"5Server:dovecot-0:1.0.7-7.el5.ppc",
"5Server:dovecot-0:1.0.7-7.el5.s390x",
"5Server:dovecot-0:1.0.7-7.el5.src",
"5Server:dovecot-0:1.0.7-7.el5.x86_64",
"5Server:dovecot-debuginfo-0:1.0.7-7.el5.i386",
"5Server:dovecot-debuginfo-0:1.0.7-7.el5.ia64",
"5Server:dovecot-debuginfo-0:1.0.7-7.el5.ppc",
"5Server:dovecot-debuginfo-0:1.0.7-7.el5.s390x",
"5Server:dovecot-debuginfo-0:1.0.7-7.el5.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2008-4577"
},
{
"category": "external",
"summary": "RHBZ#467436",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=467436"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2008-4577",
"url": "https://www.cve.org/CVERecord?id=CVE-2008-4577"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2008-4577",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2008-4577"
}
],
"release_date": "2008-10-05T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2009-01-20T15:45:00+00:00",
"details": "Before applying this update, make sure that all previously-released\nerrata relevant to your system have been applied.\n\nThis update is available via Red Hat Network. Details on how to use\nthe Red Hat Network to apply this update are available at\nhttp://kbase.redhat.com/faq/FAQ_58_10188",
"product_ids": [
"5Client-Workstation:dovecot-0:1.0.7-7.el5.i386",
"5Client-Workstation:dovecot-0:1.0.7-7.el5.ia64",
"5Client-Workstation:dovecot-0:1.0.7-7.el5.ppc",
"5Client-Workstation:dovecot-0:1.0.7-7.el5.s390x",
"5Client-Workstation:dovecot-0:1.0.7-7.el5.src",
"5Client-Workstation:dovecot-0:1.0.7-7.el5.x86_64",
"5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.i386",
"5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.ia64",
"5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.ppc",
"5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.s390x",
"5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.x86_64",
"5Server:dovecot-0:1.0.7-7.el5.i386",
"5Server:dovecot-0:1.0.7-7.el5.ia64",
"5Server:dovecot-0:1.0.7-7.el5.ppc",
"5Server:dovecot-0:1.0.7-7.el5.s390x",
"5Server:dovecot-0:1.0.7-7.el5.src",
"5Server:dovecot-0:1.0.7-7.el5.x86_64",
"5Server:dovecot-debuginfo-0:1.0.7-7.el5.i386",
"5Server:dovecot-debuginfo-0:1.0.7-7.el5.ia64",
"5Server:dovecot-debuginfo-0:1.0.7-7.el5.ppc",
"5Server:dovecot-debuginfo-0:1.0.7-7.el5.s390x",
"5Server:dovecot-debuginfo-0:1.0.7-7.el5.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2009:0205"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "HIGH",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.6,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:H/Au:S/C:P/I:P/A:N",
"version": "2.0"
},
"products": [
"5Client-Workstation:dovecot-0:1.0.7-7.el5.i386",
"5Client-Workstation:dovecot-0:1.0.7-7.el5.ia64",
"5Client-Workstation:dovecot-0:1.0.7-7.el5.ppc",
"5Client-Workstation:dovecot-0:1.0.7-7.el5.s390x",
"5Client-Workstation:dovecot-0:1.0.7-7.el5.src",
"5Client-Workstation:dovecot-0:1.0.7-7.el5.x86_64",
"5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.i386",
"5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.ia64",
"5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.ppc",
"5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.s390x",
"5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.x86_64",
"5Server:dovecot-0:1.0.7-7.el5.i386",
"5Server:dovecot-0:1.0.7-7.el5.ia64",
"5Server:dovecot-0:1.0.7-7.el5.ppc",
"5Server:dovecot-0:1.0.7-7.el5.s390x",
"5Server:dovecot-0:1.0.7-7.el5.src",
"5Server:dovecot-0:1.0.7-7.el5.x86_64",
"5Server:dovecot-debuginfo-0:1.0.7-7.el5.i386",
"5Server:dovecot-debuginfo-0:1.0.7-7.el5.ia64",
"5Server:dovecot-debuginfo-0:1.0.7-7.el5.ppc",
"5Server:dovecot-debuginfo-0:1.0.7-7.el5.s390x",
"5Server:dovecot-debuginfo-0:1.0.7-7.el5.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "dovecot: incorrect handling of negative rights in the ACL plugin"
},
{
"cve": "CVE-2008-4870",
"discovery_date": "2008-03-06T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "469659"
}
],
"notes": [
{
"category": "description",
"text": "dovecot 1.0.7 in Red Hat Enterprise Linux (RHEL) 5, and possibly Fedora, uses world-readable permissions for dovecot.conf, which allows local users to obtain the ssl_key_password parameter value.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "dovecot: ssl_key_password disclosure due to an insecure dovecot.conf permissions",
"title": "Vulnerability summary"
}
],
"product_status": {
"fixed": [
"5Client-Workstation:dovecot-0:1.0.7-7.el5.i386",
"5Client-Workstation:dovecot-0:1.0.7-7.el5.ia64",
"5Client-Workstation:dovecot-0:1.0.7-7.el5.ppc",
"5Client-Workstation:dovecot-0:1.0.7-7.el5.s390x",
"5Client-Workstation:dovecot-0:1.0.7-7.el5.src",
"5Client-Workstation:dovecot-0:1.0.7-7.el5.x86_64",
"5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.i386",
"5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.ia64",
"5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.ppc",
"5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.s390x",
"5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.x86_64",
"5Server:dovecot-0:1.0.7-7.el5.i386",
"5Server:dovecot-0:1.0.7-7.el5.ia64",
"5Server:dovecot-0:1.0.7-7.el5.ppc",
"5Server:dovecot-0:1.0.7-7.el5.s390x",
"5Server:dovecot-0:1.0.7-7.el5.src",
"5Server:dovecot-0:1.0.7-7.el5.x86_64",
"5Server:dovecot-debuginfo-0:1.0.7-7.el5.i386",
"5Server:dovecot-debuginfo-0:1.0.7-7.el5.ia64",
"5Server:dovecot-debuginfo-0:1.0.7-7.el5.ppc",
"5Server:dovecot-debuginfo-0:1.0.7-7.el5.s390x",
"5Server:dovecot-debuginfo-0:1.0.7-7.el5.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2008-4870"
},
{
"category": "external",
"summary": "RHBZ#469659",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=469659"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2008-4870",
"url": "https://www.cve.org/CVERecord?id=CVE-2008-4870"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2008-4870",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2008-4870"
}
],
"release_date": "2008-03-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2009-01-20T15:45:00+00:00",
"details": "Before applying this update, make sure that all previously-released\nerrata relevant to your system have been applied.\n\nThis update is available via Red Hat Network. Details on how to use\nthe Red Hat Network to apply this update are available at\nhttp://kbase.redhat.com/faq/FAQ_58_10188",
"product_ids": [
"5Client-Workstation:dovecot-0:1.0.7-7.el5.i386",
"5Client-Workstation:dovecot-0:1.0.7-7.el5.ia64",
"5Client-Workstation:dovecot-0:1.0.7-7.el5.ppc",
"5Client-Workstation:dovecot-0:1.0.7-7.el5.s390x",
"5Client-Workstation:dovecot-0:1.0.7-7.el5.src",
"5Client-Workstation:dovecot-0:1.0.7-7.el5.x86_64",
"5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.i386",
"5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.ia64",
"5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.ppc",
"5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.s390x",
"5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.x86_64",
"5Server:dovecot-0:1.0.7-7.el5.i386",
"5Server:dovecot-0:1.0.7-7.el5.ia64",
"5Server:dovecot-0:1.0.7-7.el5.ppc",
"5Server:dovecot-0:1.0.7-7.el5.s390x",
"5Server:dovecot-0:1.0.7-7.el5.src",
"5Server:dovecot-0:1.0.7-7.el5.x86_64",
"5Server:dovecot-debuginfo-0:1.0.7-7.el5.i386",
"5Server:dovecot-debuginfo-0:1.0.7-7.el5.ia64",
"5Server:dovecot-debuginfo-0:1.0.7-7.el5.ppc",
"5Server:dovecot-debuginfo-0:1.0.7-7.el5.s390x",
"5Server:dovecot-debuginfo-0:1.0.7-7.el5.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2009:0205"
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "dovecot: ssl_key_password disclosure due to an insecure dovecot.conf permissions"
}
]
}
RHSA-2009_0205
Vulnerability from csaf_redhat - Published: 2009-01-20 15:45 - Updated: 2024-11-22 02:17Summary
Red Hat Security Advisory: dovecot security and bug fix update
Severity
Low
Notes
Topic: An updated dovecot package that corrects two security flaws and various bugs
is now available for Red Hat Enterprise Linux 5.
This update has been rated as having low security impact by the Red Hat
Security Response Team.
Details: Dovecot is an IMAP server for Linux and UNIX-like systems, primarily
written with security in mind.
A flaw was found in Dovecot's ACL plug-in. The ACL plug-in treated negative
access rights as positive rights, which could allow an attacker to bypass
intended access restrictions. (CVE-2008-4577)
A password disclosure flaw was found with Dovecot's configuration file. If
a system had the "ssl_key_password" option defined, any local user could
view the SSL key password. (CVE-2008-4870)
Note: This flaw did not allow the attacker to acquire the contents of the
SSL key. The password has no value without the key file which arbitrary
users should not have read access to.
To better protect even this value, however, the dovecot.conf file now
supports the "!include_try" directive. The ssl_key_password option should
be moved from dovecot.conf to a new file owned by, and only readable and
writable by, root (ie 0600). This file should be referenced from
dovecot.conf by setting the "!include_try [/path/to/password/file]" option.
Additionally, this update addresses the following bugs:
* the dovecot init script -- /etc/rc.d/init.d/dovecot -- did not check if
the dovecot binary or configuration files existed. It also used the wrong
pid file for checking the dovecot service's status. This update includes a
new init script that corrects these errors.
* the %files section of the dovecot spec file did not include "%dir
%{ssldir}/private". As a consequence, the /etc/pki/private/ directory was
not owned by dovecot. (Note: files inside /etc/pki/private/ were and are
owned by dovecot.) With this update, the missing line has been added to the
spec file, and the noted directory is now owned by dovecot.
* in some previously released versions of dovecot, the authentication
process accepted (and passed along un-escaped) passwords containing
characters that had special meaning to dovecot's internal protocols. This
updated release prevents such passwords from being passed back, instead
returning the error, "Attempted login with password having illegal chars".
Note: dovecot versions previously shipped with Red Hat Enterprise Linux 5
did not allow this behavior. This update addresses the issue above but said
issue was only present in versions of dovecot not previously included with
Red Hat Enterprise Linux 5.
Users of dovecot are advised to upgrade to this updated package, which
addresses these vulnerabilities and resolves these issues.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
The ACL plugin in Dovecot before 1.1.4 treats negative access rights as if they are positive access rights, which allows attackers to bypass intended access restrictions.
3.6 ()
Affected products
Fixed
22 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 5Client-Workstation:dovecot-0:1.0.7-7.el5.i386 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 5Client-Workstation:dovecot-0:1.0.7-7.el5.ia64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 5Client-Workstation:dovecot-0:1.0.7-7.el5.ppc | — |
Vendor Fix
fix
|
|
| Unresolved product id: 5Client-Workstation:dovecot-0:1.0.7-7.el5.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 5Client-Workstation:dovecot-0:1.0.7-7.el5.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 5Client-Workstation:dovecot-0:1.0.7-7.el5.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.i386 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.ia64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.ppc | — |
Vendor Fix
fix
|
|
| Unresolved product id: 5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 5Server:dovecot-0:1.0.7-7.el5.i386 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 5Server:dovecot-0:1.0.7-7.el5.ia64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 5Server:dovecot-0:1.0.7-7.el5.ppc | — |
Vendor Fix
fix
|
|
| Unresolved product id: 5Server:dovecot-0:1.0.7-7.el5.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 5Server:dovecot-0:1.0.7-7.el5.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 5Server:dovecot-0:1.0.7-7.el5.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 5Server:dovecot-debuginfo-0:1.0.7-7.el5.i386 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 5Server:dovecot-debuginfo-0:1.0.7-7.el5.ia64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 5Server:dovecot-debuginfo-0:1.0.7-7.el5.ppc | — |
Vendor Fix
fix
|
|
| Unresolved product id: 5Server:dovecot-debuginfo-0:1.0.7-7.el5.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 5Server:dovecot-debuginfo-0:1.0.7-7.el5.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Low
dovecot 1.0.7 in Red Hat Enterprise Linux (RHEL) 5, and possibly Fedora, uses world-readable permissions for dovecot.conf, which allows local users to obtain the ssl_key_password parameter value.
Affected products
Fixed
22 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 5Client-Workstation:dovecot-0:1.0.7-7.el5.i386 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 5Client-Workstation:dovecot-0:1.0.7-7.el5.ia64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 5Client-Workstation:dovecot-0:1.0.7-7.el5.ppc | — |
Vendor Fix
fix
|
|
| Unresolved product id: 5Client-Workstation:dovecot-0:1.0.7-7.el5.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 5Client-Workstation:dovecot-0:1.0.7-7.el5.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 5Client-Workstation:dovecot-0:1.0.7-7.el5.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.i386 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.ia64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.ppc | — |
Vendor Fix
fix
|
|
| Unresolved product id: 5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 5Server:dovecot-0:1.0.7-7.el5.i386 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 5Server:dovecot-0:1.0.7-7.el5.ia64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 5Server:dovecot-0:1.0.7-7.el5.ppc | — |
Vendor Fix
fix
|
|
| Unresolved product id: 5Server:dovecot-0:1.0.7-7.el5.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 5Server:dovecot-0:1.0.7-7.el5.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 5Server:dovecot-0:1.0.7-7.el5.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 5Server:dovecot-debuginfo-0:1.0.7-7.el5.i386 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 5Server:dovecot-debuginfo-0:1.0.7-7.el5.ia64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 5Server:dovecot-debuginfo-0:1.0.7-7.el5.ppc | — |
Vendor Fix
fix
|
|
| Unresolved product id: 5Server:dovecot-debuginfo-0:1.0.7-7.el5.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 5Server:dovecot-debuginfo-0:1.0.7-7.el5.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Low
References
17 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Low"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An updated dovecot package that corrects two security flaws and various bugs\nis now available for Red Hat Enterprise Linux 5.\n\nThis update has been rated as having low security impact by the Red Hat\nSecurity Response Team.",
"title": "Topic"
},
{
"category": "general",
"text": "Dovecot is an IMAP server for Linux and UNIX-like systems, primarily\nwritten with security in mind.\n\nA flaw was found in Dovecot\u0027s ACL plug-in. The ACL plug-in treated negative\naccess rights as positive rights, which could allow an attacker to bypass\nintended access restrictions. (CVE-2008-4577)\n\nA password disclosure flaw was found with Dovecot\u0027s configuration file. If\na system had the \"ssl_key_password\" option defined, any local user could\nview the SSL key password. (CVE-2008-4870)\n\nNote: This flaw did not allow the attacker to acquire the contents of the\nSSL key. The password has no value without the key file which arbitrary\nusers should not have read access to.\n\nTo better protect even this value, however, the dovecot.conf file now\nsupports the \"!include_try\" directive. The ssl_key_password option should\nbe moved from dovecot.conf to a new file owned by, and only readable and\nwritable by, root (ie 0600). This file should be referenced from\ndovecot.conf by setting the \"!include_try [/path/to/password/file]\" option.\n\nAdditionally, this update addresses the following bugs:\n\n* the dovecot init script -- /etc/rc.d/init.d/dovecot -- did not check if\nthe dovecot binary or configuration files existed. It also used the wrong\npid file for checking the dovecot service\u0027s status. This update includes a\nnew init script that corrects these errors.\n\n* the %files section of the dovecot spec file did not include \"%dir\n%{ssldir}/private\". As a consequence, the /etc/pki/private/ directory was\nnot owned by dovecot. (Note: files inside /etc/pki/private/ were and are\nowned by dovecot.) With this update, the missing line has been added to the\nspec file, and the noted directory is now owned by dovecot.\n\n* in some previously released versions of dovecot, the authentication\nprocess accepted (and passed along un-escaped) passwords containing\ncharacters that had special meaning to dovecot\u0027s internal protocols. This\nupdated release prevents such passwords from being passed back, instead\nreturning the error, \"Attempted login with password having illegal chars\".\n\nNote: dovecot versions previously shipped with Red Hat Enterprise Linux 5\ndid not allow this behavior. This update addresses the issue above but said\nissue was only present in versions of dovecot not previously included with\nRed Hat Enterprise Linux 5.\n\nUsers of dovecot are advised to upgrade to this updated package, which\naddresses these vulnerabilities and resolves these issues.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2009:0205",
"url": "https://access.redhat.com/errata/RHSA-2009:0205"
},
{
"category": "external",
"summary": "http://www.redhat.com/security/updates/classification/#low",
"url": "http://www.redhat.com/security/updates/classification/#low"
},
{
"category": "external",
"summary": "238016",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=238016"
},
{
"category": "external",
"summary": "436287",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=436287"
},
{
"category": "external",
"summary": "439369",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=439369"
},
{
"category": "external",
"summary": "448089",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=448089"
},
{
"category": "external",
"summary": "467436",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=467436"
},
{
"category": "external",
"summary": "469659",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=469659"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2009/rhsa-2009_0205.json"
}
],
"title": "Red Hat Security Advisory: dovecot security and bug fix update",
"tracking": {
"current_release_date": "2024-11-22T02:17:23+00:00",
"generator": {
"date": "2024-11-22T02:17:23+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2009:0205",
"initial_release_date": "2009-01-20T15:45:00+00:00",
"revision_history": [
{
"date": "2009-01-20T15:45:00+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2009-01-20T11:06:11+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-22T02:17:23+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux Desktop Workstation (v. 5 client)",
"product": {
"name": "Red Hat Enterprise Linux Desktop Workstation (v. 5 client)",
"product_id": "5Client-Workstation",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:5::client_workstation"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux (v. 5 server)",
"product": {
"name": "Red Hat Enterprise Linux (v. 5 server)",
"product_id": "5Server",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:5::server"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "dovecot-0:1.0.7-7.el5.src",
"product": {
"name": "dovecot-0:1.0.7-7.el5.src",
"product_id": "dovecot-0:1.0.7-7.el5.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/dovecot@1.0.7-7.el5?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "dovecot-0:1.0.7-7.el5.x86_64",
"product": {
"name": "dovecot-0:1.0.7-7.el5.x86_64",
"product_id": "dovecot-0:1.0.7-7.el5.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/dovecot@1.0.7-7.el5?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "dovecot-debuginfo-0:1.0.7-7.el5.x86_64",
"product": {
"name": "dovecot-debuginfo-0:1.0.7-7.el5.x86_64",
"product_id": "dovecot-debuginfo-0:1.0.7-7.el5.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/dovecot-debuginfo@1.0.7-7.el5?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "dovecot-0:1.0.7-7.el5.i386",
"product": {
"name": "dovecot-0:1.0.7-7.el5.i386",
"product_id": "dovecot-0:1.0.7-7.el5.i386",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/dovecot@1.0.7-7.el5?arch=i386"
}
}
},
{
"category": "product_version",
"name": "dovecot-debuginfo-0:1.0.7-7.el5.i386",
"product": {
"name": "dovecot-debuginfo-0:1.0.7-7.el5.i386",
"product_id": "dovecot-debuginfo-0:1.0.7-7.el5.i386",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/dovecot-debuginfo@1.0.7-7.el5?arch=i386"
}
}
}
],
"category": "architecture",
"name": "i386"
},
{
"branches": [
{
"category": "product_version",
"name": "dovecot-0:1.0.7-7.el5.ia64",
"product": {
"name": "dovecot-0:1.0.7-7.el5.ia64",
"product_id": "dovecot-0:1.0.7-7.el5.ia64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/dovecot@1.0.7-7.el5?arch=ia64"
}
}
},
{
"category": "product_version",
"name": "dovecot-debuginfo-0:1.0.7-7.el5.ia64",
"product": {
"name": "dovecot-debuginfo-0:1.0.7-7.el5.ia64",
"product_id": "dovecot-debuginfo-0:1.0.7-7.el5.ia64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/dovecot-debuginfo@1.0.7-7.el5?arch=ia64"
}
}
}
],
"category": "architecture",
"name": "ia64"
},
{
"branches": [
{
"category": "product_version",
"name": "dovecot-0:1.0.7-7.el5.ppc",
"product": {
"name": "dovecot-0:1.0.7-7.el5.ppc",
"product_id": "dovecot-0:1.0.7-7.el5.ppc",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/dovecot@1.0.7-7.el5?arch=ppc"
}
}
},
{
"category": "product_version",
"name": "dovecot-debuginfo-0:1.0.7-7.el5.ppc",
"product": {
"name": "dovecot-debuginfo-0:1.0.7-7.el5.ppc",
"product_id": "dovecot-debuginfo-0:1.0.7-7.el5.ppc",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/dovecot-debuginfo@1.0.7-7.el5?arch=ppc"
}
}
}
],
"category": "architecture",
"name": "ppc"
},
{
"branches": [
{
"category": "product_version",
"name": "dovecot-0:1.0.7-7.el5.s390x",
"product": {
"name": "dovecot-0:1.0.7-7.el5.s390x",
"product_id": "dovecot-0:1.0.7-7.el5.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/dovecot@1.0.7-7.el5?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "dovecot-debuginfo-0:1.0.7-7.el5.s390x",
"product": {
"name": "dovecot-debuginfo-0:1.0.7-7.el5.s390x",
"product_id": "dovecot-debuginfo-0:1.0.7-7.el5.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/dovecot-debuginfo@1.0.7-7.el5?arch=s390x"
}
}
}
],
"category": "architecture",
"name": "s390x"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "dovecot-0:1.0.7-7.el5.i386 as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)",
"product_id": "5Client-Workstation:dovecot-0:1.0.7-7.el5.i386"
},
"product_reference": "dovecot-0:1.0.7-7.el5.i386",
"relates_to_product_reference": "5Client-Workstation"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "dovecot-0:1.0.7-7.el5.ia64 as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)",
"product_id": "5Client-Workstation:dovecot-0:1.0.7-7.el5.ia64"
},
"product_reference": "dovecot-0:1.0.7-7.el5.ia64",
"relates_to_product_reference": "5Client-Workstation"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "dovecot-0:1.0.7-7.el5.ppc as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)",
"product_id": "5Client-Workstation:dovecot-0:1.0.7-7.el5.ppc"
},
"product_reference": "dovecot-0:1.0.7-7.el5.ppc",
"relates_to_product_reference": "5Client-Workstation"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "dovecot-0:1.0.7-7.el5.s390x as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)",
"product_id": "5Client-Workstation:dovecot-0:1.0.7-7.el5.s390x"
},
"product_reference": "dovecot-0:1.0.7-7.el5.s390x",
"relates_to_product_reference": "5Client-Workstation"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "dovecot-0:1.0.7-7.el5.src as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)",
"product_id": "5Client-Workstation:dovecot-0:1.0.7-7.el5.src"
},
"product_reference": "dovecot-0:1.0.7-7.el5.src",
"relates_to_product_reference": "5Client-Workstation"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "dovecot-0:1.0.7-7.el5.x86_64 as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)",
"product_id": "5Client-Workstation:dovecot-0:1.0.7-7.el5.x86_64"
},
"product_reference": "dovecot-0:1.0.7-7.el5.x86_64",
"relates_to_product_reference": "5Client-Workstation"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "dovecot-debuginfo-0:1.0.7-7.el5.i386 as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)",
"product_id": "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.i386"
},
"product_reference": "dovecot-debuginfo-0:1.0.7-7.el5.i386",
"relates_to_product_reference": "5Client-Workstation"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "dovecot-debuginfo-0:1.0.7-7.el5.ia64 as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)",
"product_id": "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.ia64"
},
"product_reference": "dovecot-debuginfo-0:1.0.7-7.el5.ia64",
"relates_to_product_reference": "5Client-Workstation"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "dovecot-debuginfo-0:1.0.7-7.el5.ppc as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)",
"product_id": "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.ppc"
},
"product_reference": "dovecot-debuginfo-0:1.0.7-7.el5.ppc",
"relates_to_product_reference": "5Client-Workstation"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "dovecot-debuginfo-0:1.0.7-7.el5.s390x as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)",
"product_id": "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.s390x"
},
"product_reference": "dovecot-debuginfo-0:1.0.7-7.el5.s390x",
"relates_to_product_reference": "5Client-Workstation"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "dovecot-debuginfo-0:1.0.7-7.el5.x86_64 as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)",
"product_id": "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.x86_64"
},
"product_reference": "dovecot-debuginfo-0:1.0.7-7.el5.x86_64",
"relates_to_product_reference": "5Client-Workstation"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "dovecot-0:1.0.7-7.el5.i386 as a component of Red Hat Enterprise Linux (v. 5 server)",
"product_id": "5Server:dovecot-0:1.0.7-7.el5.i386"
},
"product_reference": "dovecot-0:1.0.7-7.el5.i386",
"relates_to_product_reference": "5Server"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "dovecot-0:1.0.7-7.el5.ia64 as a component of Red Hat Enterprise Linux (v. 5 server)",
"product_id": "5Server:dovecot-0:1.0.7-7.el5.ia64"
},
"product_reference": "dovecot-0:1.0.7-7.el5.ia64",
"relates_to_product_reference": "5Server"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "dovecot-0:1.0.7-7.el5.ppc as a component of Red Hat Enterprise Linux (v. 5 server)",
"product_id": "5Server:dovecot-0:1.0.7-7.el5.ppc"
},
"product_reference": "dovecot-0:1.0.7-7.el5.ppc",
"relates_to_product_reference": "5Server"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "dovecot-0:1.0.7-7.el5.s390x as a component of Red Hat Enterprise Linux (v. 5 server)",
"product_id": "5Server:dovecot-0:1.0.7-7.el5.s390x"
},
"product_reference": "dovecot-0:1.0.7-7.el5.s390x",
"relates_to_product_reference": "5Server"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "dovecot-0:1.0.7-7.el5.src as a component of Red Hat Enterprise Linux (v. 5 server)",
"product_id": "5Server:dovecot-0:1.0.7-7.el5.src"
},
"product_reference": "dovecot-0:1.0.7-7.el5.src",
"relates_to_product_reference": "5Server"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "dovecot-0:1.0.7-7.el5.x86_64 as a component of Red Hat Enterprise Linux (v. 5 server)",
"product_id": "5Server:dovecot-0:1.0.7-7.el5.x86_64"
},
"product_reference": "dovecot-0:1.0.7-7.el5.x86_64",
"relates_to_product_reference": "5Server"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "dovecot-debuginfo-0:1.0.7-7.el5.i386 as a component of Red Hat Enterprise Linux (v. 5 server)",
"product_id": "5Server:dovecot-debuginfo-0:1.0.7-7.el5.i386"
},
"product_reference": "dovecot-debuginfo-0:1.0.7-7.el5.i386",
"relates_to_product_reference": "5Server"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "dovecot-debuginfo-0:1.0.7-7.el5.ia64 as a component of Red Hat Enterprise Linux (v. 5 server)",
"product_id": "5Server:dovecot-debuginfo-0:1.0.7-7.el5.ia64"
},
"product_reference": "dovecot-debuginfo-0:1.0.7-7.el5.ia64",
"relates_to_product_reference": "5Server"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "dovecot-debuginfo-0:1.0.7-7.el5.ppc as a component of Red Hat Enterprise Linux (v. 5 server)",
"product_id": "5Server:dovecot-debuginfo-0:1.0.7-7.el5.ppc"
},
"product_reference": "dovecot-debuginfo-0:1.0.7-7.el5.ppc",
"relates_to_product_reference": "5Server"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "dovecot-debuginfo-0:1.0.7-7.el5.s390x as a component of Red Hat Enterprise Linux (v. 5 server)",
"product_id": "5Server:dovecot-debuginfo-0:1.0.7-7.el5.s390x"
},
"product_reference": "dovecot-debuginfo-0:1.0.7-7.el5.s390x",
"relates_to_product_reference": "5Server"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "dovecot-debuginfo-0:1.0.7-7.el5.x86_64 as a component of Red Hat Enterprise Linux (v. 5 server)",
"product_id": "5Server:dovecot-debuginfo-0:1.0.7-7.el5.x86_64"
},
"product_reference": "dovecot-debuginfo-0:1.0.7-7.el5.x86_64",
"relates_to_product_reference": "5Server"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2008-4577",
"discovery_date": "2008-10-07T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "467436"
}
],
"notes": [
{
"category": "description",
"text": "The ACL plugin in Dovecot before 1.1.4 treats negative access rights as if they are positive access rights, which allows attackers to bypass intended access restrictions.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "dovecot: incorrect handling of negative rights in the ACL plugin",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"5Client-Workstation:dovecot-0:1.0.7-7.el5.i386",
"5Client-Workstation:dovecot-0:1.0.7-7.el5.ia64",
"5Client-Workstation:dovecot-0:1.0.7-7.el5.ppc",
"5Client-Workstation:dovecot-0:1.0.7-7.el5.s390x",
"5Client-Workstation:dovecot-0:1.0.7-7.el5.src",
"5Client-Workstation:dovecot-0:1.0.7-7.el5.x86_64",
"5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.i386",
"5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.ia64",
"5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.ppc",
"5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.s390x",
"5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.x86_64",
"5Server:dovecot-0:1.0.7-7.el5.i386",
"5Server:dovecot-0:1.0.7-7.el5.ia64",
"5Server:dovecot-0:1.0.7-7.el5.ppc",
"5Server:dovecot-0:1.0.7-7.el5.s390x",
"5Server:dovecot-0:1.0.7-7.el5.src",
"5Server:dovecot-0:1.0.7-7.el5.x86_64",
"5Server:dovecot-debuginfo-0:1.0.7-7.el5.i386",
"5Server:dovecot-debuginfo-0:1.0.7-7.el5.ia64",
"5Server:dovecot-debuginfo-0:1.0.7-7.el5.ppc",
"5Server:dovecot-debuginfo-0:1.0.7-7.el5.s390x",
"5Server:dovecot-debuginfo-0:1.0.7-7.el5.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2008-4577"
},
{
"category": "external",
"summary": "RHBZ#467436",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=467436"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2008-4577",
"url": "https://www.cve.org/CVERecord?id=CVE-2008-4577"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2008-4577",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2008-4577"
}
],
"release_date": "2008-10-05T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2009-01-20T15:45:00+00:00",
"details": "Before applying this update, make sure that all previously-released\nerrata relevant to your system have been applied.\n\nThis update is available via Red Hat Network. Details on how to use\nthe Red Hat Network to apply this update are available at\nhttp://kbase.redhat.com/faq/FAQ_58_10188",
"product_ids": [
"5Client-Workstation:dovecot-0:1.0.7-7.el5.i386",
"5Client-Workstation:dovecot-0:1.0.7-7.el5.ia64",
"5Client-Workstation:dovecot-0:1.0.7-7.el5.ppc",
"5Client-Workstation:dovecot-0:1.0.7-7.el5.s390x",
"5Client-Workstation:dovecot-0:1.0.7-7.el5.src",
"5Client-Workstation:dovecot-0:1.0.7-7.el5.x86_64",
"5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.i386",
"5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.ia64",
"5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.ppc",
"5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.s390x",
"5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.x86_64",
"5Server:dovecot-0:1.0.7-7.el5.i386",
"5Server:dovecot-0:1.0.7-7.el5.ia64",
"5Server:dovecot-0:1.0.7-7.el5.ppc",
"5Server:dovecot-0:1.0.7-7.el5.s390x",
"5Server:dovecot-0:1.0.7-7.el5.src",
"5Server:dovecot-0:1.0.7-7.el5.x86_64",
"5Server:dovecot-debuginfo-0:1.0.7-7.el5.i386",
"5Server:dovecot-debuginfo-0:1.0.7-7.el5.ia64",
"5Server:dovecot-debuginfo-0:1.0.7-7.el5.ppc",
"5Server:dovecot-debuginfo-0:1.0.7-7.el5.s390x",
"5Server:dovecot-debuginfo-0:1.0.7-7.el5.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2009:0205"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "HIGH",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.6,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:H/Au:S/C:P/I:P/A:N",
"version": "2.0"
},
"products": [
"5Client-Workstation:dovecot-0:1.0.7-7.el5.i386",
"5Client-Workstation:dovecot-0:1.0.7-7.el5.ia64",
"5Client-Workstation:dovecot-0:1.0.7-7.el5.ppc",
"5Client-Workstation:dovecot-0:1.0.7-7.el5.s390x",
"5Client-Workstation:dovecot-0:1.0.7-7.el5.src",
"5Client-Workstation:dovecot-0:1.0.7-7.el5.x86_64",
"5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.i386",
"5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.ia64",
"5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.ppc",
"5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.s390x",
"5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.x86_64",
"5Server:dovecot-0:1.0.7-7.el5.i386",
"5Server:dovecot-0:1.0.7-7.el5.ia64",
"5Server:dovecot-0:1.0.7-7.el5.ppc",
"5Server:dovecot-0:1.0.7-7.el5.s390x",
"5Server:dovecot-0:1.0.7-7.el5.src",
"5Server:dovecot-0:1.0.7-7.el5.x86_64",
"5Server:dovecot-debuginfo-0:1.0.7-7.el5.i386",
"5Server:dovecot-debuginfo-0:1.0.7-7.el5.ia64",
"5Server:dovecot-debuginfo-0:1.0.7-7.el5.ppc",
"5Server:dovecot-debuginfo-0:1.0.7-7.el5.s390x",
"5Server:dovecot-debuginfo-0:1.0.7-7.el5.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "dovecot: incorrect handling of negative rights in the ACL plugin"
},
{
"cve": "CVE-2008-4870",
"discovery_date": "2008-03-06T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "469659"
}
],
"notes": [
{
"category": "description",
"text": "dovecot 1.0.7 in Red Hat Enterprise Linux (RHEL) 5, and possibly Fedora, uses world-readable permissions for dovecot.conf, which allows local users to obtain the ssl_key_password parameter value.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "dovecot: ssl_key_password disclosure due to an insecure dovecot.conf permissions",
"title": "Vulnerability summary"
}
],
"product_status": {
"fixed": [
"5Client-Workstation:dovecot-0:1.0.7-7.el5.i386",
"5Client-Workstation:dovecot-0:1.0.7-7.el5.ia64",
"5Client-Workstation:dovecot-0:1.0.7-7.el5.ppc",
"5Client-Workstation:dovecot-0:1.0.7-7.el5.s390x",
"5Client-Workstation:dovecot-0:1.0.7-7.el5.src",
"5Client-Workstation:dovecot-0:1.0.7-7.el5.x86_64",
"5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.i386",
"5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.ia64",
"5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.ppc",
"5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.s390x",
"5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.x86_64",
"5Server:dovecot-0:1.0.7-7.el5.i386",
"5Server:dovecot-0:1.0.7-7.el5.ia64",
"5Server:dovecot-0:1.0.7-7.el5.ppc",
"5Server:dovecot-0:1.0.7-7.el5.s390x",
"5Server:dovecot-0:1.0.7-7.el5.src",
"5Server:dovecot-0:1.0.7-7.el5.x86_64",
"5Server:dovecot-debuginfo-0:1.0.7-7.el5.i386",
"5Server:dovecot-debuginfo-0:1.0.7-7.el5.ia64",
"5Server:dovecot-debuginfo-0:1.0.7-7.el5.ppc",
"5Server:dovecot-debuginfo-0:1.0.7-7.el5.s390x",
"5Server:dovecot-debuginfo-0:1.0.7-7.el5.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2008-4870"
},
{
"category": "external",
"summary": "RHBZ#469659",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=469659"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2008-4870",
"url": "https://www.cve.org/CVERecord?id=CVE-2008-4870"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2008-4870",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2008-4870"
}
],
"release_date": "2008-03-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2009-01-20T15:45:00+00:00",
"details": "Before applying this update, make sure that all previously-released\nerrata relevant to your system have been applied.\n\nThis update is available via Red Hat Network. Details on how to use\nthe Red Hat Network to apply this update are available at\nhttp://kbase.redhat.com/faq/FAQ_58_10188",
"product_ids": [
"5Client-Workstation:dovecot-0:1.0.7-7.el5.i386",
"5Client-Workstation:dovecot-0:1.0.7-7.el5.ia64",
"5Client-Workstation:dovecot-0:1.0.7-7.el5.ppc",
"5Client-Workstation:dovecot-0:1.0.7-7.el5.s390x",
"5Client-Workstation:dovecot-0:1.0.7-7.el5.src",
"5Client-Workstation:dovecot-0:1.0.7-7.el5.x86_64",
"5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.i386",
"5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.ia64",
"5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.ppc",
"5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.s390x",
"5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.x86_64",
"5Server:dovecot-0:1.0.7-7.el5.i386",
"5Server:dovecot-0:1.0.7-7.el5.ia64",
"5Server:dovecot-0:1.0.7-7.el5.ppc",
"5Server:dovecot-0:1.0.7-7.el5.s390x",
"5Server:dovecot-0:1.0.7-7.el5.src",
"5Server:dovecot-0:1.0.7-7.el5.x86_64",
"5Server:dovecot-debuginfo-0:1.0.7-7.el5.i386",
"5Server:dovecot-debuginfo-0:1.0.7-7.el5.ia64",
"5Server:dovecot-debuginfo-0:1.0.7-7.el5.ppc",
"5Server:dovecot-debuginfo-0:1.0.7-7.el5.s390x",
"5Server:dovecot-debuginfo-0:1.0.7-7.el5.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2009:0205"
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "dovecot: ssl_key_password disclosure due to an insecure dovecot.conf permissions"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…