Action not permitted
Modal body text goes here.
Modal Title
Modal Body
cve-2007-2231
Vulnerability from cvelistv5
Published
2007-04-25 15:00
Modified
2024-08-07 13:33
Severity ?
EPSS score ?
Summary
Directory traversal vulnerability in index/mbox/mbox-storage.c in Dovecot before 1.0.rc29, when using the zlib plugin, allows remote attackers to read arbitrary gzipped (.gz) mailboxes (mbox files) via a .. (dot dot) sequence in the mailbox name.
References
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-07T13:33:27.439Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "USN-487-1", tags: [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred", ], url: "http://www.ubuntu.com/usn/usn-487-1", }, { name: "30342", tags: [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred", ], url: "http://secunia.com/advisories/30342", }, { name: "RHSA-2008:0297", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "http://www.redhat.com/support/errata/RHSA-2008-0297.html", }, { name: "23552", tags: [ "vdb-entry", "x_refsource_BID", "x_transferred", ], url: "http://www.securityfocus.com/bid/23552", }, { name: "DSA-1359", tags: [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred", ], url: "http://www.debian.org/security/2007/dsa-1359", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://dovecot.org/doc/NEWS", }, { name: "[dovecot-cvs] 20070330 dovecot/src/lib-storage/index/mbox mbox-storage.c, 1.145.2.14, 1.145.2.15", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "http://dovecot.org/list/dovecot-cvs/2007-March/008488.html", }, { name: "oval:org.mitre.oval:def:10995", tags: [ "vdb-entry", "signature", "x_refsource_OVAL", "x_transferred", ], url: "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10995", }, { name: "dovecot-mboxstorage-directory-traversal(34082)", tags: [ "vdb-entry", "x_refsource_XF", "x_transferred", ], url: "https://exchange.xforce.ibmcloud.com/vulnerabilities/34082", }, { name: "SUSE-SR:2007:008", tags: [ "vendor-advisory", "x_refsource_SUSE", "x_transferred", ], url: "http://www.novell.com/linux/security/advisories/2007_8_sr.html", }, { name: "ADV-2007-1452", tags: [ "vdb-entry", "x_refsource_VUPEN", "x_transferred", ], url: "http://www.vupen.com/english/advisories/2007/1452", }, { name: "[dovecot-news] 20070330 Security hole #3: zlib plugin allows opening any gziped mboxes", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "http://dovecot.org/list/dovecot-news/2007-March/000038.html", }, { name: "25072", tags: [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred", ], url: "http://secunia.com/advisories/25072", }, { name: "20070418 rPSA-2007-0074-1 dovecot", tags: [ "mailing-list", "x_refsource_BUGTRAQ", "x_transferred", ], url: "http://www.securityfocus.com/archive/1/466168/100/0/threaded", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2007-04-18T00:00:00", descriptions: [ { lang: "en", value: "Directory traversal vulnerability in index/mbox/mbox-storage.c in Dovecot before 1.0.rc29, when using the zlib plugin, allows remote attackers to read arbitrary gzipped (.gz) mailboxes (mbox files) via a .. (dot dot) sequence in the mailbox name.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2018-10-16T14:57:01", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { name: "USN-487-1", tags: [ "vendor-advisory", "x_refsource_UBUNTU", ], url: "http://www.ubuntu.com/usn/usn-487-1", }, { name: "30342", tags: [ "third-party-advisory", "x_refsource_SECUNIA", ], url: "http://secunia.com/advisories/30342", }, { name: "RHSA-2008:0297", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "http://www.redhat.com/support/errata/RHSA-2008-0297.html", }, { name: "23552", tags: [ "vdb-entry", "x_refsource_BID", ], url: "http://www.securityfocus.com/bid/23552", }, { name: "DSA-1359", tags: [ "vendor-advisory", "x_refsource_DEBIAN", ], url: "http://www.debian.org/security/2007/dsa-1359", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://dovecot.org/doc/NEWS", }, { name: "[dovecot-cvs] 20070330 dovecot/src/lib-storage/index/mbox mbox-storage.c, 1.145.2.14, 1.145.2.15", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "http://dovecot.org/list/dovecot-cvs/2007-March/008488.html", }, { name: "oval:org.mitre.oval:def:10995", tags: [ "vdb-entry", "signature", "x_refsource_OVAL", ], url: "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10995", }, { name: "dovecot-mboxstorage-directory-traversal(34082)", tags: [ "vdb-entry", "x_refsource_XF", ], url: "https://exchange.xforce.ibmcloud.com/vulnerabilities/34082", }, { name: "SUSE-SR:2007:008", tags: [ "vendor-advisory", "x_refsource_SUSE", ], url: "http://www.novell.com/linux/security/advisories/2007_8_sr.html", }, { name: "ADV-2007-1452", tags: [ "vdb-entry", "x_refsource_VUPEN", ], url: "http://www.vupen.com/english/advisories/2007/1452", }, { name: "[dovecot-news] 20070330 Security hole #3: zlib plugin allows opening any gziped mboxes", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "http://dovecot.org/list/dovecot-news/2007-March/000038.html", }, { name: "25072", tags: [ "third-party-advisory", "x_refsource_SECUNIA", ], url: "http://secunia.com/advisories/25072", }, { name: "20070418 rPSA-2007-0074-1 dovecot", tags: [ "mailing-list", "x_refsource_BUGTRAQ", ], url: "http://www.securityfocus.com/archive/1/466168/100/0/threaded", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2007-2231", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Directory traversal vulnerability in index/mbox/mbox-storage.c in Dovecot before 1.0.rc29, when using the zlib plugin, allows remote attackers to read arbitrary gzipped (.gz) mailboxes (mbox files) via a .. (dot dot) sequence in the mailbox name.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "USN-487-1", refsource: "UBUNTU", url: "http://www.ubuntu.com/usn/usn-487-1", }, { name: "30342", refsource: "SECUNIA", url: "http://secunia.com/advisories/30342", }, { name: "RHSA-2008:0297", refsource: "REDHAT", url: "http://www.redhat.com/support/errata/RHSA-2008-0297.html", }, { name: "23552", refsource: "BID", url: "http://www.securityfocus.com/bid/23552", }, { name: "DSA-1359", refsource: "DEBIAN", url: "http://www.debian.org/security/2007/dsa-1359", }, { name: "http://dovecot.org/doc/NEWS", refsource: "CONFIRM", url: "http://dovecot.org/doc/NEWS", }, { name: "[dovecot-cvs] 20070330 dovecot/src/lib-storage/index/mbox mbox-storage.c, 1.145.2.14, 1.145.2.15", refsource: "MLIST", url: "http://dovecot.org/list/dovecot-cvs/2007-March/008488.html", }, { name: "oval:org.mitre.oval:def:10995", refsource: "OVAL", url: "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10995", }, { name: "dovecot-mboxstorage-directory-traversal(34082)", refsource: "XF", url: "https://exchange.xforce.ibmcloud.com/vulnerabilities/34082", }, { name: "SUSE-SR:2007:008", refsource: "SUSE", url: "http://www.novell.com/linux/security/advisories/2007_8_sr.html", }, { name: "ADV-2007-1452", refsource: "VUPEN", url: "http://www.vupen.com/english/advisories/2007/1452", }, { name: "[dovecot-news] 20070330 Security hole #3: zlib plugin allows opening any gziped mboxes", refsource: "MLIST", url: "http://dovecot.org/list/dovecot-news/2007-March/000038.html", }, { name: "25072", refsource: "SECUNIA", url: "http://secunia.com/advisories/25072", }, { name: "20070418 rPSA-2007-0074-1 dovecot", refsource: "BUGTRAQ", url: "http://www.securityfocus.com/archive/1/466168/100/0/threaded", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2007-2231", datePublished: "2007-04-25T15:00:00", dateReserved: "2007-04-25T00:00:00", dateUpdated: "2024-08-07T13:33:27.439Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", "vulnerability-lookup:meta": { nvd: "{\"cve\":{\"id\":\"CVE-2007-2231\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2007-04-25T15:19:00.000\",\"lastModified\":\"2025-04-09T00:30:58.490\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Directory traversal vulnerability in index/mbox/mbox-storage.c in Dovecot before 1.0.rc29, when using the zlib plugin, allows remote attackers to read arbitrary gzipped (.gz) mailboxes (mbox files) via a .. (dot dot) sequence in the mailbox name.\"},{\"lang\":\"es\",\"value\":\"Vulnerabilidad de escalado de directorio en index/mbox/mbox-storage.c de Dovecot versiones anteriores a 1.0.rc29, cuando se usa la extensión (plugin) zlib, permite a atacantes remotos leer buzones de correo (mbox files) comprimidos con gzip (.gz) de su elección mediante una secuencia .. (punto punto) en el nombre del buzón.\"}],\"metrics\":{\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:P/I:N/A:N\",\"baseScore\":4.3,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-Other\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:dovecot:dovecot:1.0.beta1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C9FBEF6C-4A09-4661-BED0-8B5BC8BAF1AD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:dovecot:dovecot:1.0.beta2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"9D680474-C329-4DD0-B4EA-2406E27EC474\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:dovecot:dovecot:1.0.beta3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"165A0D0B-C6B0-431F-BF36-223A27CD6A42\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:dovecot:dovecot:1.0.beta4:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"92FB54D3-F856-4027-8AAF-6B05AE17D520\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:dovecot:dovecot:1.0.beta5:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"34759794-747B-4770-8DB5-4E07AA8A15AF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:dovecot:dovecot:1.0.beta6:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"8D5AF2A0-3289-47FA-B8DB-D5E28504F012\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:dovecot:dovecot:1.0.beta7:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"99268D48-CF82-450B-A033-D87AF4109531\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:dovecot:dovecot:1.0.beta8:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B2E09737-8107-45C0-BFF1-FB4CF81564CD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:dovecot:dovecot:1.0.beta9:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"280BE28D-B8A8-4E76-BC96-DB756C00B994\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:dovecot:dovecot:1.0.rc1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"91E74D81-DF10-423A-8549-3BB5ED02B5A6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:dovecot:dovecot:1.0.rc2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"07D6853E-7E81-443D-8806-C8469217F55C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:dovecot:dovecot:1.0.rc3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"D1BE4B6A-47A2-457B-B6B8-8FE5C2026A11\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:dovecot:dovecot:1.0.rc4:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"7382F655-9B27-443D-9397-346FBEADEFDA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:dovecot:dovecot:1.0.rc5:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"6F180045-A0DA-40A3-AD3E-F3402FB6456A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:dovecot:dovecot:1.0.rc6:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C1A2FFE7-D008-47B4-80E7-AEC176918E06\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:dovecot:dovecot:1.0.rc7:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"8C840337-7B31-476B-BBCD-65F4899925E6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:dovecot:dovecot:1.0.rc8:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"545EF2F5-9BAE-4612-9958-70A5413818A6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:dovecot:dovecot:1.0.rc9:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E80096F8-46D9-42E3-8CDB-99ADA2CBD970\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:dovecot:dovecot:1.0.rc10:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"9E504866-3429-4A4C-8278-5C2753D356C7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:dovecot:dovecot:1.0.rc11:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"30857130-636F-4719-9F1E-8F6369F40DAC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:dovecot:dovecot:1.0.rc12:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"9843D7CE-4723-4200-AFD4-5B31545A287E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:dovecot:dovecot:1.0.rc13:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"54AF1D92-D89B-4DE4-9D47-72466873A4C7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:dovecot:dovecot:1.0.rc14:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"64A8FCA5-1666-48F7-9689-37D9315813F7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:dovecot:dovecot:1.0.rc15:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"D4D517F3-F0A8-4362-89B9-0ED63515283F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:dovecot:dovecot:1.0.rc16:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"23883A94-559B-4655-82D4-F09868235771\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:dovecot:dovecot:1.0.rc17:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"520B52BF-FD23-429D-BAA4-E08DB84C82F3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:dovecot:dovecot:1.0.rc18:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"0B7948AB-2061-4ADB-A01C-3CE8B47CCD19\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:dovecot:dovecot:1.0.rc19:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C24F6BFB-AA8C-441A-9026-809183D0350E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:dovecot:dovecot:1.0.rc20:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C22A513A-A94A-4BC4-B5B7-3CCA166C9874\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:dovecot:dovecot:1.0.rc21:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"65038654-6B35-4502-BD74-F9F0954C5EF0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:dovecot:dovecot:1.0.rc22:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"4307AA80-C0AC-4193-8353-D746DBF52FD8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:dovecot:dovecot:1.0.rc23:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"0E95BAF5-FC78-4286-B6BD-464E9F08CF9D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:dovecot:dovecot:1.0.rc24:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"0C6AA8FD-3692-4069-8980-9544044B8CE6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:dovecot:dovecot:1.0.rc25:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F22AADE9-D37D-439B-B934-8DA01A29BB87\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:dovecot:dovecot:1.0.rc26:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"4ECCD893-A5EE-4696-80AA-FD9092548BDA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:dovecot:dovecot:1.0.rc27:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"0B960D71-04E5-45F7-8DC2-45C341673FB5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:dovecot:dovecot:1.0.rc28:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"658E275E-8C2C-46EE-850A-14ADBD097E0F\"}]}]}],\"references\":[{\"url\":\"http://dovecot.org/doc/NEWS\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://dovecot.org/list/dovecot-cvs/2007-March/008488.html\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://dovecot.org/list/dovecot-news/2007-March/000038.html\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://secunia.com/advisories/25072\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://secunia.com/advisories/30342\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://www.debian.org/security/2007/dsa-1359\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://www.novell.com/linux/security/advisories/2007_8_sr.html\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://www.redhat.com/support/errata/RHSA-2008-0297.html\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://www.securityfocus.com/archive/1/466168/100/0/threaded\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://www.securityfocus.com/bid/23552\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://www.ubuntu.com/usn/usn-487-1\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://www.vupen.com/english/advisories/2007/1452\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://exchange.xforce.ibmcloud.com/vulnerabilities/34082\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10995\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://dovecot.org/doc/NEWS\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://dovecot.org/list/dovecot-cvs/2007-March/008488.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://dovecot.org/list/dovecot-news/2007-March/000038.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://secunia.com/advisories/25072\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://secunia.com/advisories/30342\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.debian.org/security/2007/dsa-1359\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.novell.com/linux/security/advisories/2007_8_sr.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.redhat.com/support/errata/RHSA-2008-0297.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.securityfocus.com/archive/1/466168/100/0/threaded\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.securityfocus.com/bid/23552\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.ubuntu.com/usn/usn-487-1\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.vupen.com/english/advisories/2007/1452\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://exchange.xforce.ibmcloud.com/vulnerabilities/34082\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10995\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}],\"vendorComments\":[{\"organization\":\"Red Hat\",\"comment\":\"This issue did not affect Red Hat Enterprise Linux prior to version 5. An update to Red Hat Enterprise Linux 5 was released to correct this issue:\\nhttps://rhn.redhat.com/errata/RHSA-2008-0297.html\",\"lastModified\":\"2008-05-21T00:00:00\"}]}}", }, }
fkie_cve-2007-2231
Vulnerability from fkie_nvd
Published
2007-04-25 15:19
Modified
2025-04-09 00:30
Severity ?
Summary
Directory traversal vulnerability in index/mbox/mbox-storage.c in Dovecot before 1.0.rc29, when using the zlib plugin, allows remote attackers to read arbitrary gzipped (.gz) mailboxes (mbox files) via a .. (dot dot) sequence in the mailbox name.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| dovecot | dovecot | 1.0.beta1 | |
| dovecot | dovecot | 1.0.beta2 | |
| dovecot | dovecot | 1.0.beta3 | |
| dovecot | dovecot | 1.0.beta4 | |
| dovecot | dovecot | 1.0.beta5 | |
| dovecot | dovecot | 1.0.beta6 | |
| dovecot | dovecot | 1.0.beta7 | |
| dovecot | dovecot | 1.0.beta8 | |
| dovecot | dovecot | 1.0.beta9 | |
| dovecot | dovecot | 1.0.rc1 | |
| dovecot | dovecot | 1.0.rc2 | |
| dovecot | dovecot | 1.0.rc3 | |
| dovecot | dovecot | 1.0.rc4 | |
| dovecot | dovecot | 1.0.rc5 | |
| dovecot | dovecot | 1.0.rc6 | |
| dovecot | dovecot | 1.0.rc7 | |
| dovecot | dovecot | 1.0.rc8 | |
| dovecot | dovecot | 1.0.rc9 | |
| dovecot | dovecot | 1.0.rc10 | |
| dovecot | dovecot | 1.0.rc11 | |
| dovecot | dovecot | 1.0.rc12 | |
| dovecot | dovecot | 1.0.rc13 | |
| dovecot | dovecot | 1.0.rc14 | |
| dovecot | dovecot | 1.0.rc15 | |
| dovecot | dovecot | 1.0.rc16 | |
| dovecot | dovecot | 1.0.rc17 | |
| dovecot | dovecot | 1.0.rc18 | |
| dovecot | dovecot | 1.0.rc19 | |
| dovecot | dovecot | 1.0.rc20 | |
| dovecot | dovecot | 1.0.rc21 | |
| dovecot | dovecot | 1.0.rc22 | |
| dovecot | dovecot | 1.0.rc23 | |
| dovecot | dovecot | 1.0.rc24 | |
| dovecot | dovecot | 1.0.rc25 | |
| dovecot | dovecot | 1.0.rc26 | |
| dovecot | dovecot | 1.0.rc27 | |
| dovecot | dovecot | 1.0.rc28 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:dovecot:dovecot:1.0.beta1:*:*:*:*:*:*:*", matchCriteriaId: "C9FBEF6C-4A09-4661-BED0-8B5BC8BAF1AD", vulnerable: true, }, { criteria: "cpe:2.3:a:dovecot:dovecot:1.0.beta2:*:*:*:*:*:*:*", matchCriteriaId: "9D680474-C329-4DD0-B4EA-2406E27EC474", vulnerable: true, }, { criteria: "cpe:2.3:a:dovecot:dovecot:1.0.beta3:*:*:*:*:*:*:*", matchCriteriaId: "165A0D0B-C6B0-431F-BF36-223A27CD6A42", vulnerable: true, }, { criteria: "cpe:2.3:a:dovecot:dovecot:1.0.beta4:*:*:*:*:*:*:*", matchCriteriaId: "92FB54D3-F856-4027-8AAF-6B05AE17D520", vulnerable: true, }, { criteria: "cpe:2.3:a:dovecot:dovecot:1.0.beta5:*:*:*:*:*:*:*", matchCriteriaId: "34759794-747B-4770-8DB5-4E07AA8A15AF", vulnerable: true, }, { criteria: "cpe:2.3:a:dovecot:dovecot:1.0.beta6:*:*:*:*:*:*:*", matchCriteriaId: "8D5AF2A0-3289-47FA-B8DB-D5E28504F012", vulnerable: true, }, { criteria: "cpe:2.3:a:dovecot:dovecot:1.0.beta7:*:*:*:*:*:*:*", matchCriteriaId: "99268D48-CF82-450B-A033-D87AF4109531", vulnerable: true, }, { criteria: "cpe:2.3:a:dovecot:dovecot:1.0.beta8:*:*:*:*:*:*:*", matchCriteriaId: "B2E09737-8107-45C0-BFF1-FB4CF81564CD", vulnerable: true, }, { criteria: "cpe:2.3:a:dovecot:dovecot:1.0.beta9:*:*:*:*:*:*:*", matchCriteriaId: "280BE28D-B8A8-4E76-BC96-DB756C00B994", vulnerable: true, }, { criteria: "cpe:2.3:a:dovecot:dovecot:1.0.rc1:*:*:*:*:*:*:*", matchCriteriaId: "91E74D81-DF10-423A-8549-3BB5ED02B5A6", vulnerable: true, }, { criteria: "cpe:2.3:a:dovecot:dovecot:1.0.rc2:*:*:*:*:*:*:*", matchCriteriaId: "07D6853E-7E81-443D-8806-C8469217F55C", vulnerable: true, }, { criteria: "cpe:2.3:a:dovecot:dovecot:1.0.rc3:*:*:*:*:*:*:*", matchCriteriaId: "D1BE4B6A-47A2-457B-B6B8-8FE5C2026A11", vulnerable: true, }, { criteria: "cpe:2.3:a:dovecot:dovecot:1.0.rc4:*:*:*:*:*:*:*", matchCriteriaId: "7382F655-9B27-443D-9397-346FBEADEFDA", vulnerable: true, }, { criteria: "cpe:2.3:a:dovecot:dovecot:1.0.rc5:*:*:*:*:*:*:*", matchCriteriaId: "6F180045-A0DA-40A3-AD3E-F3402FB6456A", vulnerable: true, }, { criteria: "cpe:2.3:a:dovecot:dovecot:1.0.rc6:*:*:*:*:*:*:*", matchCriteriaId: "C1A2FFE7-D008-47B4-80E7-AEC176918E06", vulnerable: true, }, { criteria: "cpe:2.3:a:dovecot:dovecot:1.0.rc7:*:*:*:*:*:*:*", matchCriteriaId: "8C840337-7B31-476B-BBCD-65F4899925E6", vulnerable: true, }, { criteria: "cpe:2.3:a:dovecot:dovecot:1.0.rc8:*:*:*:*:*:*:*", matchCriteriaId: "545EF2F5-9BAE-4612-9958-70A5413818A6", vulnerable: true, }, { criteria: "cpe:2.3:a:dovecot:dovecot:1.0.rc9:*:*:*:*:*:*:*", matchCriteriaId: "E80096F8-46D9-42E3-8CDB-99ADA2CBD970", vulnerable: true, }, { criteria: "cpe:2.3:a:dovecot:dovecot:1.0.rc10:*:*:*:*:*:*:*", matchCriteriaId: "9E504866-3429-4A4C-8278-5C2753D356C7", vulnerable: true, }, { criteria: "cpe:2.3:a:dovecot:dovecot:1.0.rc11:*:*:*:*:*:*:*", matchCriteriaId: "30857130-636F-4719-9F1E-8F6369F40DAC", vulnerable: true, }, { criteria: "cpe:2.3:a:dovecot:dovecot:1.0.rc12:*:*:*:*:*:*:*", matchCriteriaId: "9843D7CE-4723-4200-AFD4-5B31545A287E", vulnerable: true, }, { criteria: "cpe:2.3:a:dovecot:dovecot:1.0.rc13:*:*:*:*:*:*:*", matchCriteriaId: "54AF1D92-D89B-4DE4-9D47-72466873A4C7", vulnerable: true, }, { criteria: "cpe:2.3:a:dovecot:dovecot:1.0.rc14:*:*:*:*:*:*:*", matchCriteriaId: "64A8FCA5-1666-48F7-9689-37D9315813F7", vulnerable: true, }, { criteria: "cpe:2.3:a:dovecot:dovecot:1.0.rc15:*:*:*:*:*:*:*", matchCriteriaId: "D4D517F3-F0A8-4362-89B9-0ED63515283F", vulnerable: true, }, { criteria: "cpe:2.3:a:dovecot:dovecot:1.0.rc16:*:*:*:*:*:*:*", matchCriteriaId: "23883A94-559B-4655-82D4-F09868235771", vulnerable: true, }, { criteria: "cpe:2.3:a:dovecot:dovecot:1.0.rc17:*:*:*:*:*:*:*", matchCriteriaId: "520B52BF-FD23-429D-BAA4-E08DB84C82F3", vulnerable: true, }, { criteria: "cpe:2.3:a:dovecot:dovecot:1.0.rc18:*:*:*:*:*:*:*", matchCriteriaId: "0B7948AB-2061-4ADB-A01C-3CE8B47CCD19", vulnerable: true, }, { criteria: "cpe:2.3:a:dovecot:dovecot:1.0.rc19:*:*:*:*:*:*:*", matchCriteriaId: "C24F6BFB-AA8C-441A-9026-809183D0350E", vulnerable: true, }, { criteria: "cpe:2.3:a:dovecot:dovecot:1.0.rc20:*:*:*:*:*:*:*", matchCriteriaId: "C22A513A-A94A-4BC4-B5B7-3CCA166C9874", vulnerable: true, }, { criteria: "cpe:2.3:a:dovecot:dovecot:1.0.rc21:*:*:*:*:*:*:*", matchCriteriaId: "65038654-6B35-4502-BD74-F9F0954C5EF0", vulnerable: true, }, { criteria: "cpe:2.3:a:dovecot:dovecot:1.0.rc22:*:*:*:*:*:*:*", matchCriteriaId: "4307AA80-C0AC-4193-8353-D746DBF52FD8", vulnerable: true, }, { criteria: "cpe:2.3:a:dovecot:dovecot:1.0.rc23:*:*:*:*:*:*:*", matchCriteriaId: "0E95BAF5-FC78-4286-B6BD-464E9F08CF9D", vulnerable: true, }, { criteria: "cpe:2.3:a:dovecot:dovecot:1.0.rc24:*:*:*:*:*:*:*", matchCriteriaId: "0C6AA8FD-3692-4069-8980-9544044B8CE6", vulnerable: true, }, { criteria: "cpe:2.3:a:dovecot:dovecot:1.0.rc25:*:*:*:*:*:*:*", matchCriteriaId: "F22AADE9-D37D-439B-B934-8DA01A29BB87", vulnerable: true, }, { criteria: "cpe:2.3:a:dovecot:dovecot:1.0.rc26:*:*:*:*:*:*:*", matchCriteriaId: "4ECCD893-A5EE-4696-80AA-FD9092548BDA", vulnerable: true, }, { criteria: "cpe:2.3:a:dovecot:dovecot:1.0.rc27:*:*:*:*:*:*:*", matchCriteriaId: "0B960D71-04E5-45F7-8DC2-45C341673FB5", vulnerable: true, }, { criteria: "cpe:2.3:a:dovecot:dovecot:1.0.rc28:*:*:*:*:*:*:*", matchCriteriaId: "658E275E-8C2C-46EE-850A-14ADBD097E0F", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Directory traversal vulnerability in index/mbox/mbox-storage.c in Dovecot before 1.0.rc29, when using the zlib plugin, allows remote attackers to read arbitrary gzipped (.gz) mailboxes (mbox files) via a .. (dot dot) sequence in the mailbox name.", }, { lang: "es", value: "Vulnerabilidad de escalado de directorio en index/mbox/mbox-storage.c de Dovecot versiones anteriores a 1.0.rc29, cuando se usa la extensión (plugin) zlib, permite a atacantes remotos leer buzones de correo (mbox files) comprimidos con gzip (.gz) de su elección mediante una secuencia .. (punto punto) en el nombre del buzón.", }, ], id: "CVE-2007-2231", lastModified: "2025-04-09T00:30:58.490", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4.3, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:M/Au:N/C:P/I:N/A:N", version: "2.0", }, exploitabilityScore: 8.6, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], }, published: "2007-04-25T15:19:00.000", references: [ { source: "cve@mitre.org", url: "http://dovecot.org/doc/NEWS", }, { source: "cve@mitre.org", url: "http://dovecot.org/list/dovecot-cvs/2007-March/008488.html", }, { source: "cve@mitre.org", url: "http://dovecot.org/list/dovecot-news/2007-March/000038.html", }, { source: "cve@mitre.org", url: "http://secunia.com/advisories/25072", }, { source: "cve@mitre.org", url: "http://secunia.com/advisories/30342", }, { source: "cve@mitre.org", url: "http://www.debian.org/security/2007/dsa-1359", }, { source: "cve@mitre.org", url: "http://www.novell.com/linux/security/advisories/2007_8_sr.html", }, { source: "cve@mitre.org", url: "http://www.redhat.com/support/errata/RHSA-2008-0297.html", }, { source: "cve@mitre.org", url: "http://www.securityfocus.com/archive/1/466168/100/0/threaded", }, { source: "cve@mitre.org", url: "http://www.securityfocus.com/bid/23552", }, { source: "cve@mitre.org", url: "http://www.ubuntu.com/usn/usn-487-1", }, { source: "cve@mitre.org", url: "http://www.vupen.com/english/advisories/2007/1452", }, { source: "cve@mitre.org", url: "https://exchange.xforce.ibmcloud.com/vulnerabilities/34082", }, { source: "cve@mitre.org", url: "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10995", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://dovecot.org/doc/NEWS", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://dovecot.org/list/dovecot-cvs/2007-March/008488.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://dovecot.org/list/dovecot-news/2007-March/000038.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://secunia.com/advisories/25072", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://secunia.com/advisories/30342", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www.debian.org/security/2007/dsa-1359", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www.novell.com/linux/security/advisories/2007_8_sr.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www.redhat.com/support/errata/RHSA-2008-0297.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www.securityfocus.com/archive/1/466168/100/0/threaded", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www.securityfocus.com/bid/23552", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www.ubuntu.com/usn/usn-487-1", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www.vupen.com/english/advisories/2007/1452", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://exchange.xforce.ibmcloud.com/vulnerabilities/34082", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10995", }, ], sourceIdentifier: "cve@mitre.org", vendorComments: [ { comment: "This issue did not affect Red Hat Enterprise Linux prior to version 5. An update to Red Hat Enterprise Linux 5 was released to correct this issue:\nhttps://rhn.redhat.com/errata/RHSA-2008-0297.html", lastModified: "2008-05-21T00:00:00", organization: "Red Hat", }, ], vulnStatus: "Deferred", weaknesses: [ { description: [ { lang: "en", value: "NVD-CWE-Other", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
rhsa-2008:0297
Vulnerability from csaf_redhat
Published
2008-05-20 14:28
Modified
2024-11-22 01:40
Summary
Red Hat Security Advisory: dovecot security and bug fix update
Notes
Topic
An updated dovecot package that fixes several security issues and various
bugs is now available for Red Hat Enterprise Linux 5.
This update has been rated as having low security impact by the Red Hat
Security Response Team.
Details
Dovecot is an IMAP server for Linux and UNIX-like systems, primarily
written with security in mind.
A flaw was discovered in the way Dovecot handled the "mail_extra_groups"
option. An authenticated attacker with local shell access could leverage
this flaw to read, modify, or delete other users mail that is stored on
the mail server. (CVE-2008-1199)
This issue did not affect the default Red Hat Enterprise Linux 5 Dovecot
configuration. This update adds two new configuration options --
"mail_privileged_group" and "mail_access_groups" -- to minimize the usage
of additional privileges.
A directory traversal flaw was discovered in Dovecot's zlib plug-in. An
authenticated user could use this flaw to view other compressed mailboxes
with the permissions of the Dovecot process. (CVE-2007-2231)
A flaw was found in the Dovecot ACL plug-in. User with only insert
permissions for a mailbox could use the "COPY" and "APPEND" commands to set
additional message flags. (CVE-2007-4211)
A flaw was found in a way Dovecot cached LDAP query results in certain
configurations. This could possibly allow authenticated users to log in as
a different user who has the same password. (CVE-2007-6598)
As well, this updated package fixes the following bugs:
* configuring "userdb" and "passdb" to use LDAP caused Dovecot to hang. A
segmentation fault may have occurred. In this updated package, using an
LDAP backend for "userdb" and "passdb" no longer causes Dovecot to hang.
* the Dovecot "login_process_size" limit was configured for 32-bit systems.
On 64-bit systems, when Dovecot was configured to use either IMAP or POP3,
the log in processes crashed with out-of-memory errors. Errors such as the
following were logged:
pop3-login: pop3-login: error while loading shared libraries:
libsepol.so.1: failed to map segment from shared object: Cannot allocate
memory
In this updated package, the "login_process_size" limit is correctly
configured on 64-bit systems, which resolves this issue.
Note: this updated package upgrades dovecot to version 1.0.7. For
further details, refer to the Dovecot changelog:
http://koji.fedoraproject.org/koji/buildinfo?buildID=23397
Users of dovecot are advised to upgrade to this updated package, which
resolves these issues.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Low", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "An updated dovecot package that fixes several security issues and various\nbugs is now available for Red Hat Enterprise Linux 5.\n\nThis update has been rated as having low security impact by the Red Hat\nSecurity Response Team.", title: "Topic", }, { category: "general", text: "Dovecot is an IMAP server for Linux and UNIX-like systems, primarily\nwritten with security in mind.\n\nA flaw was discovered in the way Dovecot handled the \"mail_extra_groups\"\noption. An authenticated attacker with local shell access could leverage\nthis flaw to read, modify, or delete other users mail that is stored on\nthe mail server. (CVE-2008-1199)\n\nThis issue did not affect the default Red Hat Enterprise Linux 5 Dovecot\nconfiguration. This update adds two new configuration options --\n\"mail_privileged_group\" and \"mail_access_groups\" -- to minimize the usage\nof additional privileges.\n\nA directory traversal flaw was discovered in Dovecot's zlib plug-in. An\nauthenticated user could use this flaw to view other compressed mailboxes\nwith the permissions of the Dovecot process. (CVE-2007-2231)\n\nA flaw was found in the Dovecot ACL plug-in. User with only insert\npermissions for a mailbox could use the \"COPY\" and \"APPEND\" commands to set\nadditional message flags. (CVE-2007-4211)\n\nA flaw was found in a way Dovecot cached LDAP query results in certain\nconfigurations. This could possibly allow authenticated users to log in as\na different user who has the same password. (CVE-2007-6598)\n\nAs well, this updated package fixes the following bugs:\n\n* configuring \"userdb\" and \"passdb\" to use LDAP caused Dovecot to hang. A\nsegmentation fault may have occurred. In this updated package, using an\nLDAP backend for \"userdb\" and \"passdb\" no longer causes Dovecot to hang.\n\n* the Dovecot \"login_process_size\" limit was configured for 32-bit systems.\nOn 64-bit systems, when Dovecot was configured to use either IMAP or POP3,\nthe log in processes crashed with out-of-memory errors. Errors such as the\nfollowing were logged:\n\npop3-login: pop3-login: error while loading shared libraries:\nlibsepol.so.1: failed to map segment from shared object: Cannot allocate\nmemory\n\nIn this updated package, the \"login_process_size\" limit is correctly\nconfigured on 64-bit systems, which resolves this issue.\n\nNote: this updated package upgrades dovecot to version 1.0.7. For\nfurther details, refer to the Dovecot changelog:\nhttp://koji.fedoraproject.org/koji/buildinfo?buildID=23397\n\nUsers of dovecot are advised to upgrade to this updated package, which\nresolves these issues.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2008:0297", url: "https://access.redhat.com/errata/RHSA-2008:0297", }, { category: "external", summary: "http://www.redhat.com/security/updates/classification/#low", url: "http://www.redhat.com/security/updates/classification/#low", }, { category: "external", summary: "238439", url: "https://bugzilla.redhat.com/show_bug.cgi?id=238439", }, { category: "external", summary: "245249", url: "https://bugzilla.redhat.com/show_bug.cgi?id=245249", }, { category: "external", summary: "251007", url: "https://bugzilla.redhat.com/show_bug.cgi?id=251007", }, { category: "external", summary: "253363", url: "https://bugzilla.redhat.com/show_bug.cgi?id=253363", }, { category: "external", summary: "331441", url: "https://bugzilla.redhat.com/show_bug.cgi?id=331441", }, { category: "external", summary: "380401", url: "https://bugzilla.redhat.com/show_bug.cgi?id=380401", }, { category: "external", summary: "427575", url: "https://bugzilla.redhat.com/show_bug.cgi?id=427575", }, { category: "external", summary: "436927", url: "https://bugzilla.redhat.com/show_bug.cgi?id=436927", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2008/rhsa-2008_0297.json", }, ], title: "Red Hat Security Advisory: dovecot security and bug fix update", tracking: { current_release_date: "2024-11-22T01:40:32+00:00", generator: { date: "2024-11-22T01:40:32+00:00", engine: { name: "Red Hat SDEngine", version: "4.2.1", }, }, id: "RHSA-2008:0297", initial_release_date: "2008-05-20T14:28:00+00:00", revision_history: [ { date: "2008-05-20T14:28:00+00:00", number: "1", summary: "Initial version", }, { date: "2008-05-21T10:20:08+00:00", number: "2", summary: "Last updated version", }, { date: "2024-11-22T01:40:32+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product: { name: "Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation", product_identification_helper: { cpe: "cpe:/o:redhat:enterprise_linux:5::client_workstation", }, }, }, { category: "product_name", name: "Red Hat Enterprise Linux (v. 5 server)", product: { name: "Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server", product_identification_helper: { cpe: "cpe:/o:redhat:enterprise_linux:5::server", }, }, }, ], category: "product_family", name: "Red Hat Enterprise Linux", }, { branches: [ { category: "product_version", name: "dovecot-0:1.0.7-2.el5.src", product: { name: "dovecot-0:1.0.7-2.el5.src", product_id: "dovecot-0:1.0.7-2.el5.src", product_identification_helper: { purl: "pkg:rpm/redhat/dovecot@1.0.7-2.el5?arch=src", }, }, }, ], category: "architecture", name: "src", }, { branches: [ { category: "product_version", name: "dovecot-0:1.0.7-2.el5.x86_64", product: { name: "dovecot-0:1.0.7-2.el5.x86_64", product_id: "dovecot-0:1.0.7-2.el5.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/dovecot@1.0.7-2.el5?arch=x86_64", }, }, }, { category: "product_version", name: "dovecot-debuginfo-0:1.0.7-2.el5.x86_64", product: { name: "dovecot-debuginfo-0:1.0.7-2.el5.x86_64", product_id: "dovecot-debuginfo-0:1.0.7-2.el5.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/dovecot-debuginfo@1.0.7-2.el5?arch=x86_64", }, }, }, ], category: "architecture", name: "x86_64", }, { branches: [ { category: "product_version", name: "dovecot-0:1.0.7-2.el5.i386", product: { name: "dovecot-0:1.0.7-2.el5.i386", product_id: "dovecot-0:1.0.7-2.el5.i386", product_identification_helper: { purl: "pkg:rpm/redhat/dovecot@1.0.7-2.el5?arch=i386", }, }, }, { category: "product_version", name: "dovecot-debuginfo-0:1.0.7-2.el5.i386", product: { name: "dovecot-debuginfo-0:1.0.7-2.el5.i386", product_id: "dovecot-debuginfo-0:1.0.7-2.el5.i386", product_identification_helper: { purl: "pkg:rpm/redhat/dovecot-debuginfo@1.0.7-2.el5?arch=i386", }, }, }, ], category: "architecture", name: "i386", }, { branches: [ { category: "product_version", name: "dovecot-0:1.0.7-2.el5.ia64", product: { name: "dovecot-0:1.0.7-2.el5.ia64", product_id: "dovecot-0:1.0.7-2.el5.ia64", product_identification_helper: { purl: "pkg:rpm/redhat/dovecot@1.0.7-2.el5?arch=ia64", }, }, }, { category: "product_version", name: "dovecot-debuginfo-0:1.0.7-2.el5.ia64", product: { name: "dovecot-debuginfo-0:1.0.7-2.el5.ia64", product_id: "dovecot-debuginfo-0:1.0.7-2.el5.ia64", product_identification_helper: { purl: "pkg:rpm/redhat/dovecot-debuginfo@1.0.7-2.el5?arch=ia64", }, }, }, ], category: "architecture", name: "ia64", }, { branches: [ { category: "product_version", name: "dovecot-0:1.0.7-2.el5.ppc", product: { name: "dovecot-0:1.0.7-2.el5.ppc", product_id: "dovecot-0:1.0.7-2.el5.ppc", product_identification_helper: { purl: "pkg:rpm/redhat/dovecot@1.0.7-2.el5?arch=ppc", }, }, }, { category: "product_version", name: "dovecot-debuginfo-0:1.0.7-2.el5.ppc", product: { name: "dovecot-debuginfo-0:1.0.7-2.el5.ppc", product_id: "dovecot-debuginfo-0:1.0.7-2.el5.ppc", product_identification_helper: { purl: "pkg:rpm/redhat/dovecot-debuginfo@1.0.7-2.el5?arch=ppc", }, }, }, ], category: "architecture", name: "ppc", }, { branches: [ { category: "product_version", name: "dovecot-0:1.0.7-2.el5.s390x", product: { name: "dovecot-0:1.0.7-2.el5.s390x", product_id: "dovecot-0:1.0.7-2.el5.s390x", product_identification_helper: { purl: "pkg:rpm/redhat/dovecot@1.0.7-2.el5?arch=s390x", }, }, }, { category: "product_version", name: "dovecot-debuginfo-0:1.0.7-2.el5.s390x", product: { name: "dovecot-debuginfo-0:1.0.7-2.el5.s390x", product_id: "dovecot-debuginfo-0:1.0.7-2.el5.s390x", product_identification_helper: { purl: "pkg:rpm/redhat/dovecot-debuginfo@1.0.7-2.el5?arch=s390x", }, }, }, ], category: "architecture", name: "s390x", }, ], category: "vendor", name: "Red Hat", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "dovecot-0:1.0.7-2.el5.i386 as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation:dovecot-0:1.0.7-2.el5.i386", }, product_reference: "dovecot-0:1.0.7-2.el5.i386", relates_to_product_reference: "5Client-Workstation", }, { category: "default_component_of", full_product_name: { name: "dovecot-0:1.0.7-2.el5.ia64 as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation:dovecot-0:1.0.7-2.el5.ia64", }, product_reference: "dovecot-0:1.0.7-2.el5.ia64", relates_to_product_reference: "5Client-Workstation", }, { category: "default_component_of", full_product_name: { name: "dovecot-0:1.0.7-2.el5.ppc as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation:dovecot-0:1.0.7-2.el5.ppc", }, product_reference: "dovecot-0:1.0.7-2.el5.ppc", relates_to_product_reference: "5Client-Workstation", }, { category: "default_component_of", full_product_name: { name: "dovecot-0:1.0.7-2.el5.s390x as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation:dovecot-0:1.0.7-2.el5.s390x", }, product_reference: "dovecot-0:1.0.7-2.el5.s390x", relates_to_product_reference: "5Client-Workstation", }, { category: "default_component_of", full_product_name: { name: "dovecot-0:1.0.7-2.el5.src as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation:dovecot-0:1.0.7-2.el5.src", }, product_reference: "dovecot-0:1.0.7-2.el5.src", relates_to_product_reference: "5Client-Workstation", }, { category: "default_component_of", full_product_name: { name: "dovecot-0:1.0.7-2.el5.x86_64 as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation:dovecot-0:1.0.7-2.el5.x86_64", }, product_reference: "dovecot-0:1.0.7-2.el5.x86_64", relates_to_product_reference: "5Client-Workstation", }, { category: "default_component_of", full_product_name: { name: "dovecot-debuginfo-0:1.0.7-2.el5.i386 as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.i386", }, product_reference: "dovecot-debuginfo-0:1.0.7-2.el5.i386", relates_to_product_reference: "5Client-Workstation", }, { category: "default_component_of", full_product_name: { name: "dovecot-debuginfo-0:1.0.7-2.el5.ia64 as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.ia64", }, product_reference: "dovecot-debuginfo-0:1.0.7-2.el5.ia64", relates_to_product_reference: "5Client-Workstation", }, { category: "default_component_of", full_product_name: { name: "dovecot-debuginfo-0:1.0.7-2.el5.ppc as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.ppc", }, product_reference: "dovecot-debuginfo-0:1.0.7-2.el5.ppc", relates_to_product_reference: "5Client-Workstation", }, { category: "default_component_of", full_product_name: { name: "dovecot-debuginfo-0:1.0.7-2.el5.s390x as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.s390x", }, product_reference: "dovecot-debuginfo-0:1.0.7-2.el5.s390x", relates_to_product_reference: "5Client-Workstation", }, { category: "default_component_of", full_product_name: { name: "dovecot-debuginfo-0:1.0.7-2.el5.x86_64 as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.x86_64", }, product_reference: "dovecot-debuginfo-0:1.0.7-2.el5.x86_64", relates_to_product_reference: "5Client-Workstation", }, { category: "default_component_of", full_product_name: { name: "dovecot-0:1.0.7-2.el5.i386 as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server:dovecot-0:1.0.7-2.el5.i386", }, product_reference: "dovecot-0:1.0.7-2.el5.i386", relates_to_product_reference: "5Server", }, { category: "default_component_of", full_product_name: { name: "dovecot-0:1.0.7-2.el5.ia64 as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server:dovecot-0:1.0.7-2.el5.ia64", }, product_reference: "dovecot-0:1.0.7-2.el5.ia64", relates_to_product_reference: "5Server", }, { category: "default_component_of", full_product_name: { name: "dovecot-0:1.0.7-2.el5.ppc as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server:dovecot-0:1.0.7-2.el5.ppc", }, product_reference: "dovecot-0:1.0.7-2.el5.ppc", relates_to_product_reference: "5Server", }, { category: "default_component_of", full_product_name: { name: "dovecot-0:1.0.7-2.el5.s390x as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server:dovecot-0:1.0.7-2.el5.s390x", }, product_reference: "dovecot-0:1.0.7-2.el5.s390x", relates_to_product_reference: "5Server", }, { category: "default_component_of", full_product_name: { name: "dovecot-0:1.0.7-2.el5.src as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server:dovecot-0:1.0.7-2.el5.src", }, product_reference: "dovecot-0:1.0.7-2.el5.src", relates_to_product_reference: "5Server", }, { category: "default_component_of", full_product_name: { name: "dovecot-0:1.0.7-2.el5.x86_64 as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server:dovecot-0:1.0.7-2.el5.x86_64", }, product_reference: "dovecot-0:1.0.7-2.el5.x86_64", relates_to_product_reference: "5Server", }, { category: "default_component_of", full_product_name: { name: "dovecot-debuginfo-0:1.0.7-2.el5.i386 as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server:dovecot-debuginfo-0:1.0.7-2.el5.i386", }, product_reference: "dovecot-debuginfo-0:1.0.7-2.el5.i386", relates_to_product_reference: "5Server", }, { category: "default_component_of", full_product_name: { name: "dovecot-debuginfo-0:1.0.7-2.el5.ia64 as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server:dovecot-debuginfo-0:1.0.7-2.el5.ia64", }, product_reference: "dovecot-debuginfo-0:1.0.7-2.el5.ia64", relates_to_product_reference: "5Server", }, { category: "default_component_of", full_product_name: { name: "dovecot-debuginfo-0:1.0.7-2.el5.ppc as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server:dovecot-debuginfo-0:1.0.7-2.el5.ppc", }, product_reference: "dovecot-debuginfo-0:1.0.7-2.el5.ppc", relates_to_product_reference: "5Server", }, { category: "default_component_of", full_product_name: { name: "dovecot-debuginfo-0:1.0.7-2.el5.s390x as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server:dovecot-debuginfo-0:1.0.7-2.el5.s390x", }, product_reference: "dovecot-debuginfo-0:1.0.7-2.el5.s390x", relates_to_product_reference: "5Server", }, { category: "default_component_of", full_product_name: { name: "dovecot-debuginfo-0:1.0.7-2.el5.x86_64 as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server:dovecot-debuginfo-0:1.0.7-2.el5.x86_64", }, product_reference: "dovecot-debuginfo-0:1.0.7-2.el5.x86_64", relates_to_product_reference: "5Server", }, ], }, vulnerabilities: [ { cve: "CVE-2007-2231", discovery_date: "2007-04-25T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "238439", }, ], notes: [ { category: "description", text: "Directory traversal vulnerability in index/mbox/mbox-storage.c in Dovecot before 1.0.rc29, when using the zlib plugin, allows remote attackers to read arbitrary gzipped (.gz) mailboxes (mbox files) via a .. (dot dot) sequence in the mailbox name.", title: "Vulnerability description", }, { category: "summary", text: "Directory traversal in dovecot with zlib plugin", title: "Vulnerability summary", }, { category: "other", text: "This issue did not affect Red Hat Enterprise Linux prior to version 5.", title: "Statement", }, ], product_status: { fixed: [ "5Client-Workstation:dovecot-0:1.0.7-2.el5.i386", "5Client-Workstation:dovecot-0:1.0.7-2.el5.ia64", "5Client-Workstation:dovecot-0:1.0.7-2.el5.ppc", "5Client-Workstation:dovecot-0:1.0.7-2.el5.s390x", "5Client-Workstation:dovecot-0:1.0.7-2.el5.src", "5Client-Workstation:dovecot-0:1.0.7-2.el5.x86_64", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.i386", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.ia64", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.ppc", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.s390x", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.x86_64", "5Server:dovecot-0:1.0.7-2.el5.i386", "5Server:dovecot-0:1.0.7-2.el5.ia64", "5Server:dovecot-0:1.0.7-2.el5.ppc", "5Server:dovecot-0:1.0.7-2.el5.s390x", "5Server:dovecot-0:1.0.7-2.el5.src", "5Server:dovecot-0:1.0.7-2.el5.x86_64", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.i386", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.ia64", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.ppc", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.s390x", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.x86_64", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2007-2231", }, { category: "external", summary: "RHBZ#238439", url: "https://bugzilla.redhat.com/show_bug.cgi?id=238439", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2007-2231", url: "https://www.cve.org/CVERecord?id=CVE-2007-2231", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2007-2231", url: "https://nvd.nist.gov/vuln/detail/CVE-2007-2231", }, ], release_date: "2007-03-28T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2008-05-20T14:28:00+00:00", details: "Before applying this update, make sure that all previously-released\nerrata relevant to your system have been applied. \n\nThis update is available via Red Hat Network. Details on how to use \nthe Red Hat Network to apply this update are available at\nhttp://kbase.redhat.com/faq/FAQ_58_10188", product_ids: [ "5Client-Workstation:dovecot-0:1.0.7-2.el5.i386", "5Client-Workstation:dovecot-0:1.0.7-2.el5.ia64", "5Client-Workstation:dovecot-0:1.0.7-2.el5.ppc", "5Client-Workstation:dovecot-0:1.0.7-2.el5.s390x", "5Client-Workstation:dovecot-0:1.0.7-2.el5.src", "5Client-Workstation:dovecot-0:1.0.7-2.el5.x86_64", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.i386", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.ia64", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.ppc", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.s390x", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.x86_64", "5Server:dovecot-0:1.0.7-2.el5.i386", "5Server:dovecot-0:1.0.7-2.el5.ia64", "5Server:dovecot-0:1.0.7-2.el5.ppc", "5Server:dovecot-0:1.0.7-2.el5.s390x", "5Server:dovecot-0:1.0.7-2.el5.src", "5Server:dovecot-0:1.0.7-2.el5.x86_64", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.i386", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.ia64", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.ppc", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.s390x", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.x86_64", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2008:0297", }, ], threats: [ { category: "impact", details: "Low", }, ], title: "Directory traversal in dovecot with zlib plugin", }, { cve: "CVE-2007-4211", discovery_date: "2007-08-03T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "251007", }, ], notes: [ { category: "description", text: "The ACL plugin in Dovecot before 1.0.3 allows remote authenticated users with the insert right to save certain flags via a (1) COPY or (2) APPEND command.", title: "Vulnerability description", }, { category: "summary", text: "Dovecot possible privilege ascalation in ACL plugin", title: "Vulnerability summary", }, { category: "other", text: "These issues did not affect the dovecot versions as shipped with Red Hat Enterprise Linux 2.1, 3, or 4.", title: "Statement", }, ], product_status: { fixed: [ "5Client-Workstation:dovecot-0:1.0.7-2.el5.i386", "5Client-Workstation:dovecot-0:1.0.7-2.el5.ia64", "5Client-Workstation:dovecot-0:1.0.7-2.el5.ppc", "5Client-Workstation:dovecot-0:1.0.7-2.el5.s390x", "5Client-Workstation:dovecot-0:1.0.7-2.el5.src", "5Client-Workstation:dovecot-0:1.0.7-2.el5.x86_64", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.i386", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.ia64", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.ppc", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.s390x", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.x86_64", "5Server:dovecot-0:1.0.7-2.el5.i386", "5Server:dovecot-0:1.0.7-2.el5.ia64", "5Server:dovecot-0:1.0.7-2.el5.ppc", "5Server:dovecot-0:1.0.7-2.el5.s390x", "5Server:dovecot-0:1.0.7-2.el5.src", "5Server:dovecot-0:1.0.7-2.el5.x86_64", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.i386", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.ia64", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.ppc", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.s390x", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.x86_64", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2007-4211", }, { category: "external", summary: "RHBZ#251007", url: "https://bugzilla.redhat.com/show_bug.cgi?id=251007", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2007-4211", url: "https://www.cve.org/CVERecord?id=CVE-2007-4211", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2007-4211", url: "https://nvd.nist.gov/vuln/detail/CVE-2007-4211", }, ], release_date: "2007-08-01T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2008-05-20T14:28:00+00:00", details: "Before applying this update, make sure that all previously-released\nerrata relevant to your system have been applied. \n\nThis update is available via Red Hat Network. Details on how to use \nthe Red Hat Network to apply this update are available at\nhttp://kbase.redhat.com/faq/FAQ_58_10188", product_ids: [ "5Client-Workstation:dovecot-0:1.0.7-2.el5.i386", "5Client-Workstation:dovecot-0:1.0.7-2.el5.ia64", "5Client-Workstation:dovecot-0:1.0.7-2.el5.ppc", "5Client-Workstation:dovecot-0:1.0.7-2.el5.s390x", "5Client-Workstation:dovecot-0:1.0.7-2.el5.src", "5Client-Workstation:dovecot-0:1.0.7-2.el5.x86_64", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.i386", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.ia64", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.ppc", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.s390x", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.x86_64", "5Server:dovecot-0:1.0.7-2.el5.i386", "5Server:dovecot-0:1.0.7-2.el5.ia64", "5Server:dovecot-0:1.0.7-2.el5.ppc", "5Server:dovecot-0:1.0.7-2.el5.s390x", "5Server:dovecot-0:1.0.7-2.el5.src", "5Server:dovecot-0:1.0.7-2.el5.x86_64", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.i386", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.ia64", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.ppc", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.s390x", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.x86_64", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2008:0297", }, ], threats: [ { category: "impact", details: "Low", }, ], title: "Dovecot possible privilege ascalation in ACL plugin", }, { cve: "CVE-2007-6598", discovery_date: "2007-12-29T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "427575", }, ], notes: [ { category: "description", text: "Dovecot before 1.0.10, with certain configuration options including use of %variables, does not properly maintain the LDAP+auth cache, which might allow remote authenticated users to login as a different user who has the same password.", title: "Vulnerability description", }, { category: "summary", text: "dovecot LDAP+auth cache user login mixup", title: "Vulnerability summary", }, { category: "other", text: "This issue did not affect versions of Dovecot as shipped with Red Hat Enterprise Linux before version 5.", title: "Statement", }, ], product_status: { fixed: [ "5Client-Workstation:dovecot-0:1.0.7-2.el5.i386", "5Client-Workstation:dovecot-0:1.0.7-2.el5.ia64", "5Client-Workstation:dovecot-0:1.0.7-2.el5.ppc", "5Client-Workstation:dovecot-0:1.0.7-2.el5.s390x", "5Client-Workstation:dovecot-0:1.0.7-2.el5.src", "5Client-Workstation:dovecot-0:1.0.7-2.el5.x86_64", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.i386", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.ia64", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.ppc", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.s390x", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.x86_64", "5Server:dovecot-0:1.0.7-2.el5.i386", "5Server:dovecot-0:1.0.7-2.el5.ia64", "5Server:dovecot-0:1.0.7-2.el5.ppc", "5Server:dovecot-0:1.0.7-2.el5.s390x", "5Server:dovecot-0:1.0.7-2.el5.src", "5Server:dovecot-0:1.0.7-2.el5.x86_64", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.i386", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.ia64", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.ppc", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.s390x", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.x86_64", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2007-6598", }, { category: "external", summary: "RHBZ#427575", url: "https://bugzilla.redhat.com/show_bug.cgi?id=427575", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2007-6598", url: "https://www.cve.org/CVERecord?id=CVE-2007-6598", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2007-6598", url: "https://nvd.nist.gov/vuln/detail/CVE-2007-6598", }, ], release_date: "2007-12-29T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2008-05-20T14:28:00+00:00", details: "Before applying this update, make sure that all previously-released\nerrata relevant to your system have been applied. \n\nThis update is available via Red Hat Network. Details on how to use \nthe Red Hat Network to apply this update are available at\nhttp://kbase.redhat.com/faq/FAQ_58_10188", product_ids: [ "5Client-Workstation:dovecot-0:1.0.7-2.el5.i386", "5Client-Workstation:dovecot-0:1.0.7-2.el5.ia64", "5Client-Workstation:dovecot-0:1.0.7-2.el5.ppc", "5Client-Workstation:dovecot-0:1.0.7-2.el5.s390x", "5Client-Workstation:dovecot-0:1.0.7-2.el5.src", "5Client-Workstation:dovecot-0:1.0.7-2.el5.x86_64", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.i386", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.ia64", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.ppc", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.s390x", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.x86_64", "5Server:dovecot-0:1.0.7-2.el5.i386", "5Server:dovecot-0:1.0.7-2.el5.ia64", "5Server:dovecot-0:1.0.7-2.el5.ppc", "5Server:dovecot-0:1.0.7-2.el5.s390x", "5Server:dovecot-0:1.0.7-2.el5.src", "5Server:dovecot-0:1.0.7-2.el5.x86_64", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.i386", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.ia64", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.ppc", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.s390x", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.x86_64", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2008:0297", }, ], threats: [ { category: "impact", details: "Low", }, ], title: "dovecot LDAP+auth cache user login mixup", }, { cve: "CVE-2008-1199", discovery_date: "2008-03-01T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "436927", }, ], notes: [ { category: "description", text: "Dovecot before 1.0.11, when configured to use mail_extra_groups to allow Dovecot to create dotlocks in /var/mail, might allow local users to read sensitive mail files for other users, or modify files or directories that are writable by group, via a symlink attack.", title: "Vulnerability description", }, { category: "summary", text: "dovecot: insecure mail_extra_groups option", title: "Vulnerability summary", }, { category: "other", text: "This issue does not affect the default configuration of Dovecot as shipped in Red Hat Enterprise Linux.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "5Client-Workstation:dovecot-0:1.0.7-2.el5.i386", "5Client-Workstation:dovecot-0:1.0.7-2.el5.ia64", "5Client-Workstation:dovecot-0:1.0.7-2.el5.ppc", "5Client-Workstation:dovecot-0:1.0.7-2.el5.s390x", "5Client-Workstation:dovecot-0:1.0.7-2.el5.src", "5Client-Workstation:dovecot-0:1.0.7-2.el5.x86_64", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.i386", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.ia64", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.ppc", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.s390x", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.x86_64", "5Server:dovecot-0:1.0.7-2.el5.i386", "5Server:dovecot-0:1.0.7-2.el5.ia64", "5Server:dovecot-0:1.0.7-2.el5.ppc", "5Server:dovecot-0:1.0.7-2.el5.s390x", "5Server:dovecot-0:1.0.7-2.el5.src", "5Server:dovecot-0:1.0.7-2.el5.x86_64", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.i386", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.ia64", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.ppc", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.s390x", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.x86_64", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2008-1199", }, { category: "external", summary: "RHBZ#436927", url: "https://bugzilla.redhat.com/show_bug.cgi?id=436927", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2008-1199", url: "https://www.cve.org/CVERecord?id=CVE-2008-1199", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2008-1199", url: "https://nvd.nist.gov/vuln/detail/CVE-2008-1199", }, ], release_date: "2008-03-04T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2008-05-20T14:28:00+00:00", details: "Before applying this update, make sure that all previously-released\nerrata relevant to your system have been applied. \n\nThis update is available via Red Hat Network. Details on how to use \nthe Red Hat Network to apply this update are available at\nhttp://kbase.redhat.com/faq/FAQ_58_10188", product_ids: [ "5Client-Workstation:dovecot-0:1.0.7-2.el5.i386", "5Client-Workstation:dovecot-0:1.0.7-2.el5.ia64", "5Client-Workstation:dovecot-0:1.0.7-2.el5.ppc", "5Client-Workstation:dovecot-0:1.0.7-2.el5.s390x", "5Client-Workstation:dovecot-0:1.0.7-2.el5.src", "5Client-Workstation:dovecot-0:1.0.7-2.el5.x86_64", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.i386", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.ia64", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.ppc", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.s390x", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.x86_64", "5Server:dovecot-0:1.0.7-2.el5.i386", "5Server:dovecot-0:1.0.7-2.el5.ia64", "5Server:dovecot-0:1.0.7-2.el5.ppc", "5Server:dovecot-0:1.0.7-2.el5.s390x", "5Server:dovecot-0:1.0.7-2.el5.src", "5Server:dovecot-0:1.0.7-2.el5.x86_64", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.i386", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.ia64", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.ppc", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.s390x", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.x86_64", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2008:0297", }, ], scores: [ { cvss_v2: { accessComplexity: "HIGH", accessVector: "LOCAL", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 3.7, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:L/AC:H/Au:N/C:P/I:P/A:P", version: "2.0", }, products: [ "5Client-Workstation:dovecot-0:1.0.7-2.el5.i386", "5Client-Workstation:dovecot-0:1.0.7-2.el5.ia64", "5Client-Workstation:dovecot-0:1.0.7-2.el5.ppc", "5Client-Workstation:dovecot-0:1.0.7-2.el5.s390x", "5Client-Workstation:dovecot-0:1.0.7-2.el5.src", "5Client-Workstation:dovecot-0:1.0.7-2.el5.x86_64", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.i386", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.ia64", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.ppc", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.s390x", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.x86_64", "5Server:dovecot-0:1.0.7-2.el5.i386", "5Server:dovecot-0:1.0.7-2.el5.ia64", "5Server:dovecot-0:1.0.7-2.el5.ppc", "5Server:dovecot-0:1.0.7-2.el5.s390x", "5Server:dovecot-0:1.0.7-2.el5.src", "5Server:dovecot-0:1.0.7-2.el5.x86_64", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.i386", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.ia64", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.ppc", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.s390x", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.x86_64", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "dovecot: insecure mail_extra_groups option", }, ], }
RHSA-2008:0297
Vulnerability from csaf_redhat
Published
2008-05-20 14:28
Modified
2024-11-22 01:40
Summary
Red Hat Security Advisory: dovecot security and bug fix update
Notes
Topic
An updated dovecot package that fixes several security issues and various
bugs is now available for Red Hat Enterprise Linux 5.
This update has been rated as having low security impact by the Red Hat
Security Response Team.
Details
Dovecot is an IMAP server for Linux and UNIX-like systems, primarily
written with security in mind.
A flaw was discovered in the way Dovecot handled the "mail_extra_groups"
option. An authenticated attacker with local shell access could leverage
this flaw to read, modify, or delete other users mail that is stored on
the mail server. (CVE-2008-1199)
This issue did not affect the default Red Hat Enterprise Linux 5 Dovecot
configuration. This update adds two new configuration options --
"mail_privileged_group" and "mail_access_groups" -- to minimize the usage
of additional privileges.
A directory traversal flaw was discovered in Dovecot's zlib plug-in. An
authenticated user could use this flaw to view other compressed mailboxes
with the permissions of the Dovecot process. (CVE-2007-2231)
A flaw was found in the Dovecot ACL plug-in. User with only insert
permissions for a mailbox could use the "COPY" and "APPEND" commands to set
additional message flags. (CVE-2007-4211)
A flaw was found in a way Dovecot cached LDAP query results in certain
configurations. This could possibly allow authenticated users to log in as
a different user who has the same password. (CVE-2007-6598)
As well, this updated package fixes the following bugs:
* configuring "userdb" and "passdb" to use LDAP caused Dovecot to hang. A
segmentation fault may have occurred. In this updated package, using an
LDAP backend for "userdb" and "passdb" no longer causes Dovecot to hang.
* the Dovecot "login_process_size" limit was configured for 32-bit systems.
On 64-bit systems, when Dovecot was configured to use either IMAP or POP3,
the log in processes crashed with out-of-memory errors. Errors such as the
following were logged:
pop3-login: pop3-login: error while loading shared libraries:
libsepol.so.1: failed to map segment from shared object: Cannot allocate
memory
In this updated package, the "login_process_size" limit is correctly
configured on 64-bit systems, which resolves this issue.
Note: this updated package upgrades dovecot to version 1.0.7. For
further details, refer to the Dovecot changelog:
http://koji.fedoraproject.org/koji/buildinfo?buildID=23397
Users of dovecot are advised to upgrade to this updated package, which
resolves these issues.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Low", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "An updated dovecot package that fixes several security issues and various\nbugs is now available for Red Hat Enterprise Linux 5.\n\nThis update has been rated as having low security impact by the Red Hat\nSecurity Response Team.", title: "Topic", }, { category: "general", text: "Dovecot is an IMAP server for Linux and UNIX-like systems, primarily\nwritten with security in mind.\n\nA flaw was discovered in the way Dovecot handled the \"mail_extra_groups\"\noption. An authenticated attacker with local shell access could leverage\nthis flaw to read, modify, or delete other users mail that is stored on\nthe mail server. (CVE-2008-1199)\n\nThis issue did not affect the default Red Hat Enterprise Linux 5 Dovecot\nconfiguration. This update adds two new configuration options --\n\"mail_privileged_group\" and \"mail_access_groups\" -- to minimize the usage\nof additional privileges.\n\nA directory traversal flaw was discovered in Dovecot's zlib plug-in. An\nauthenticated user could use this flaw to view other compressed mailboxes\nwith the permissions of the Dovecot process. (CVE-2007-2231)\n\nA flaw was found in the Dovecot ACL plug-in. User with only insert\npermissions for a mailbox could use the \"COPY\" and \"APPEND\" commands to set\nadditional message flags. (CVE-2007-4211)\n\nA flaw was found in a way Dovecot cached LDAP query results in certain\nconfigurations. This could possibly allow authenticated users to log in as\na different user who has the same password. (CVE-2007-6598)\n\nAs well, this updated package fixes the following bugs:\n\n* configuring \"userdb\" and \"passdb\" to use LDAP caused Dovecot to hang. A\nsegmentation fault may have occurred. In this updated package, using an\nLDAP backend for \"userdb\" and \"passdb\" no longer causes Dovecot to hang.\n\n* the Dovecot \"login_process_size\" limit was configured for 32-bit systems.\nOn 64-bit systems, when Dovecot was configured to use either IMAP or POP3,\nthe log in processes crashed with out-of-memory errors. Errors such as the\nfollowing were logged:\n\npop3-login: pop3-login: error while loading shared libraries:\nlibsepol.so.1: failed to map segment from shared object: Cannot allocate\nmemory\n\nIn this updated package, the \"login_process_size\" limit is correctly\nconfigured on 64-bit systems, which resolves this issue.\n\nNote: this updated package upgrades dovecot to version 1.0.7. For\nfurther details, refer to the Dovecot changelog:\nhttp://koji.fedoraproject.org/koji/buildinfo?buildID=23397\n\nUsers of dovecot are advised to upgrade to this updated package, which\nresolves these issues.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2008:0297", url: "https://access.redhat.com/errata/RHSA-2008:0297", }, { category: "external", summary: "http://www.redhat.com/security/updates/classification/#low", url: "http://www.redhat.com/security/updates/classification/#low", }, { category: "external", summary: "238439", url: "https://bugzilla.redhat.com/show_bug.cgi?id=238439", }, { category: "external", summary: "245249", url: "https://bugzilla.redhat.com/show_bug.cgi?id=245249", }, { category: "external", summary: "251007", url: "https://bugzilla.redhat.com/show_bug.cgi?id=251007", }, { category: "external", summary: "253363", url: "https://bugzilla.redhat.com/show_bug.cgi?id=253363", }, { category: "external", summary: "331441", url: "https://bugzilla.redhat.com/show_bug.cgi?id=331441", }, { category: "external", summary: "380401", url: "https://bugzilla.redhat.com/show_bug.cgi?id=380401", }, { category: "external", summary: "427575", url: "https://bugzilla.redhat.com/show_bug.cgi?id=427575", }, { category: "external", summary: "436927", url: "https://bugzilla.redhat.com/show_bug.cgi?id=436927", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2008/rhsa-2008_0297.json", }, ], title: "Red Hat Security Advisory: dovecot security and bug fix update", tracking: { current_release_date: "2024-11-22T01:40:32+00:00", generator: { date: "2024-11-22T01:40:32+00:00", engine: { name: "Red Hat SDEngine", version: "4.2.1", }, }, id: "RHSA-2008:0297", initial_release_date: "2008-05-20T14:28:00+00:00", revision_history: [ { date: "2008-05-20T14:28:00+00:00", number: "1", summary: "Initial version", }, { date: "2008-05-21T10:20:08+00:00", number: "2", summary: "Last updated version", }, { date: "2024-11-22T01:40:32+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product: { name: "Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation", product_identification_helper: { cpe: "cpe:/o:redhat:enterprise_linux:5::client_workstation", }, }, }, { category: "product_name", name: "Red Hat Enterprise Linux (v. 5 server)", product: { name: "Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server", product_identification_helper: { cpe: "cpe:/o:redhat:enterprise_linux:5::server", }, }, }, ], category: "product_family", name: "Red Hat Enterprise Linux", }, { branches: [ { category: "product_version", name: "dovecot-0:1.0.7-2.el5.src", product: { name: "dovecot-0:1.0.7-2.el5.src", product_id: "dovecot-0:1.0.7-2.el5.src", product_identification_helper: { purl: "pkg:rpm/redhat/dovecot@1.0.7-2.el5?arch=src", }, }, }, ], category: "architecture", name: "src", }, { branches: [ { category: "product_version", name: "dovecot-0:1.0.7-2.el5.x86_64", product: { name: "dovecot-0:1.0.7-2.el5.x86_64", product_id: "dovecot-0:1.0.7-2.el5.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/dovecot@1.0.7-2.el5?arch=x86_64", }, }, }, { category: "product_version", name: "dovecot-debuginfo-0:1.0.7-2.el5.x86_64", product: { name: "dovecot-debuginfo-0:1.0.7-2.el5.x86_64", product_id: "dovecot-debuginfo-0:1.0.7-2.el5.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/dovecot-debuginfo@1.0.7-2.el5?arch=x86_64", }, }, }, ], category: "architecture", name: "x86_64", }, { branches: [ { category: "product_version", name: "dovecot-0:1.0.7-2.el5.i386", product: { name: "dovecot-0:1.0.7-2.el5.i386", product_id: "dovecot-0:1.0.7-2.el5.i386", product_identification_helper: { purl: "pkg:rpm/redhat/dovecot@1.0.7-2.el5?arch=i386", }, }, }, { category: "product_version", name: "dovecot-debuginfo-0:1.0.7-2.el5.i386", product: { name: "dovecot-debuginfo-0:1.0.7-2.el5.i386", product_id: "dovecot-debuginfo-0:1.0.7-2.el5.i386", product_identification_helper: { purl: "pkg:rpm/redhat/dovecot-debuginfo@1.0.7-2.el5?arch=i386", }, }, }, ], category: "architecture", name: "i386", }, { branches: [ { category: "product_version", name: "dovecot-0:1.0.7-2.el5.ia64", product: { name: "dovecot-0:1.0.7-2.el5.ia64", product_id: "dovecot-0:1.0.7-2.el5.ia64", product_identification_helper: { purl: "pkg:rpm/redhat/dovecot@1.0.7-2.el5?arch=ia64", }, }, }, { category: "product_version", name: "dovecot-debuginfo-0:1.0.7-2.el5.ia64", product: { name: "dovecot-debuginfo-0:1.0.7-2.el5.ia64", product_id: "dovecot-debuginfo-0:1.0.7-2.el5.ia64", product_identification_helper: { purl: "pkg:rpm/redhat/dovecot-debuginfo@1.0.7-2.el5?arch=ia64", }, }, }, ], category: "architecture", name: "ia64", }, { branches: [ { category: "product_version", name: "dovecot-0:1.0.7-2.el5.ppc", product: { name: "dovecot-0:1.0.7-2.el5.ppc", product_id: "dovecot-0:1.0.7-2.el5.ppc", product_identification_helper: { purl: "pkg:rpm/redhat/dovecot@1.0.7-2.el5?arch=ppc", }, }, }, { category: "product_version", name: "dovecot-debuginfo-0:1.0.7-2.el5.ppc", product: { name: "dovecot-debuginfo-0:1.0.7-2.el5.ppc", product_id: "dovecot-debuginfo-0:1.0.7-2.el5.ppc", product_identification_helper: { purl: "pkg:rpm/redhat/dovecot-debuginfo@1.0.7-2.el5?arch=ppc", }, }, }, ], category: "architecture", name: "ppc", }, { branches: [ { category: "product_version", name: "dovecot-0:1.0.7-2.el5.s390x", product: { name: "dovecot-0:1.0.7-2.el5.s390x", product_id: "dovecot-0:1.0.7-2.el5.s390x", product_identification_helper: { purl: "pkg:rpm/redhat/dovecot@1.0.7-2.el5?arch=s390x", }, }, }, { category: "product_version", name: "dovecot-debuginfo-0:1.0.7-2.el5.s390x", product: { name: "dovecot-debuginfo-0:1.0.7-2.el5.s390x", product_id: "dovecot-debuginfo-0:1.0.7-2.el5.s390x", product_identification_helper: { purl: "pkg:rpm/redhat/dovecot-debuginfo@1.0.7-2.el5?arch=s390x", }, }, }, ], category: "architecture", name: "s390x", }, ], category: "vendor", name: "Red Hat", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "dovecot-0:1.0.7-2.el5.i386 as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation:dovecot-0:1.0.7-2.el5.i386", }, product_reference: "dovecot-0:1.0.7-2.el5.i386", relates_to_product_reference: "5Client-Workstation", }, { category: "default_component_of", full_product_name: { name: "dovecot-0:1.0.7-2.el5.ia64 as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation:dovecot-0:1.0.7-2.el5.ia64", }, product_reference: "dovecot-0:1.0.7-2.el5.ia64", relates_to_product_reference: "5Client-Workstation", }, { category: "default_component_of", full_product_name: { name: "dovecot-0:1.0.7-2.el5.ppc as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation:dovecot-0:1.0.7-2.el5.ppc", }, product_reference: "dovecot-0:1.0.7-2.el5.ppc", relates_to_product_reference: "5Client-Workstation", }, { category: "default_component_of", full_product_name: { name: "dovecot-0:1.0.7-2.el5.s390x as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation:dovecot-0:1.0.7-2.el5.s390x", }, product_reference: "dovecot-0:1.0.7-2.el5.s390x", relates_to_product_reference: "5Client-Workstation", }, { category: "default_component_of", full_product_name: { name: "dovecot-0:1.0.7-2.el5.src as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation:dovecot-0:1.0.7-2.el5.src", }, product_reference: "dovecot-0:1.0.7-2.el5.src", relates_to_product_reference: "5Client-Workstation", }, { category: "default_component_of", full_product_name: { name: "dovecot-0:1.0.7-2.el5.x86_64 as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation:dovecot-0:1.0.7-2.el5.x86_64", }, product_reference: "dovecot-0:1.0.7-2.el5.x86_64", relates_to_product_reference: "5Client-Workstation", }, { category: "default_component_of", full_product_name: { name: "dovecot-debuginfo-0:1.0.7-2.el5.i386 as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.i386", }, product_reference: "dovecot-debuginfo-0:1.0.7-2.el5.i386", relates_to_product_reference: "5Client-Workstation", }, { category: "default_component_of", full_product_name: { name: "dovecot-debuginfo-0:1.0.7-2.el5.ia64 as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.ia64", }, product_reference: "dovecot-debuginfo-0:1.0.7-2.el5.ia64", relates_to_product_reference: "5Client-Workstation", }, { category: "default_component_of", full_product_name: { name: "dovecot-debuginfo-0:1.0.7-2.el5.ppc as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.ppc", }, product_reference: "dovecot-debuginfo-0:1.0.7-2.el5.ppc", relates_to_product_reference: "5Client-Workstation", }, { category: "default_component_of", full_product_name: { name: "dovecot-debuginfo-0:1.0.7-2.el5.s390x as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.s390x", }, product_reference: "dovecot-debuginfo-0:1.0.7-2.el5.s390x", relates_to_product_reference: "5Client-Workstation", }, { category: "default_component_of", full_product_name: { name: "dovecot-debuginfo-0:1.0.7-2.el5.x86_64 as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.x86_64", }, product_reference: "dovecot-debuginfo-0:1.0.7-2.el5.x86_64", relates_to_product_reference: "5Client-Workstation", }, { category: "default_component_of", full_product_name: { name: "dovecot-0:1.0.7-2.el5.i386 as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server:dovecot-0:1.0.7-2.el5.i386", }, product_reference: "dovecot-0:1.0.7-2.el5.i386", relates_to_product_reference: "5Server", }, { category: "default_component_of", full_product_name: { name: "dovecot-0:1.0.7-2.el5.ia64 as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server:dovecot-0:1.0.7-2.el5.ia64", }, product_reference: "dovecot-0:1.0.7-2.el5.ia64", relates_to_product_reference: "5Server", }, { category: "default_component_of", full_product_name: { name: "dovecot-0:1.0.7-2.el5.ppc as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server:dovecot-0:1.0.7-2.el5.ppc", }, product_reference: "dovecot-0:1.0.7-2.el5.ppc", relates_to_product_reference: "5Server", }, { category: "default_component_of", full_product_name: { name: "dovecot-0:1.0.7-2.el5.s390x as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server:dovecot-0:1.0.7-2.el5.s390x", }, product_reference: "dovecot-0:1.0.7-2.el5.s390x", relates_to_product_reference: "5Server", }, { category: "default_component_of", full_product_name: { name: "dovecot-0:1.0.7-2.el5.src as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server:dovecot-0:1.0.7-2.el5.src", }, product_reference: "dovecot-0:1.0.7-2.el5.src", relates_to_product_reference: "5Server", }, { category: "default_component_of", full_product_name: { name: "dovecot-0:1.0.7-2.el5.x86_64 as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server:dovecot-0:1.0.7-2.el5.x86_64", }, product_reference: "dovecot-0:1.0.7-2.el5.x86_64", relates_to_product_reference: "5Server", }, { category: "default_component_of", full_product_name: { name: "dovecot-debuginfo-0:1.0.7-2.el5.i386 as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server:dovecot-debuginfo-0:1.0.7-2.el5.i386", }, product_reference: "dovecot-debuginfo-0:1.0.7-2.el5.i386", relates_to_product_reference: "5Server", }, { category: "default_component_of", full_product_name: { name: "dovecot-debuginfo-0:1.0.7-2.el5.ia64 as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server:dovecot-debuginfo-0:1.0.7-2.el5.ia64", }, product_reference: "dovecot-debuginfo-0:1.0.7-2.el5.ia64", relates_to_product_reference: "5Server", }, { category: "default_component_of", full_product_name: { name: "dovecot-debuginfo-0:1.0.7-2.el5.ppc as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server:dovecot-debuginfo-0:1.0.7-2.el5.ppc", }, product_reference: "dovecot-debuginfo-0:1.0.7-2.el5.ppc", relates_to_product_reference: "5Server", }, { category: "default_component_of", full_product_name: { name: "dovecot-debuginfo-0:1.0.7-2.el5.s390x as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server:dovecot-debuginfo-0:1.0.7-2.el5.s390x", }, product_reference: "dovecot-debuginfo-0:1.0.7-2.el5.s390x", relates_to_product_reference: "5Server", }, { category: "default_component_of", full_product_name: { name: "dovecot-debuginfo-0:1.0.7-2.el5.x86_64 as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server:dovecot-debuginfo-0:1.0.7-2.el5.x86_64", }, product_reference: "dovecot-debuginfo-0:1.0.7-2.el5.x86_64", relates_to_product_reference: "5Server", }, ], }, vulnerabilities: [ { cve: "CVE-2007-2231", discovery_date: "2007-04-25T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "238439", }, ], notes: [ { category: "description", text: "Directory traversal vulnerability in index/mbox/mbox-storage.c in Dovecot before 1.0.rc29, when using the zlib plugin, allows remote attackers to read arbitrary gzipped (.gz) mailboxes (mbox files) via a .. (dot dot) sequence in the mailbox name.", title: "Vulnerability description", }, { category: "summary", text: "Directory traversal in dovecot with zlib plugin", title: "Vulnerability summary", }, { category: "other", text: "This issue did not affect Red Hat Enterprise Linux prior to version 5.", title: "Statement", }, ], product_status: { fixed: [ "5Client-Workstation:dovecot-0:1.0.7-2.el5.i386", "5Client-Workstation:dovecot-0:1.0.7-2.el5.ia64", "5Client-Workstation:dovecot-0:1.0.7-2.el5.ppc", "5Client-Workstation:dovecot-0:1.0.7-2.el5.s390x", "5Client-Workstation:dovecot-0:1.0.7-2.el5.src", "5Client-Workstation:dovecot-0:1.0.7-2.el5.x86_64", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.i386", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.ia64", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.ppc", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.s390x", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.x86_64", "5Server:dovecot-0:1.0.7-2.el5.i386", "5Server:dovecot-0:1.0.7-2.el5.ia64", "5Server:dovecot-0:1.0.7-2.el5.ppc", "5Server:dovecot-0:1.0.7-2.el5.s390x", "5Server:dovecot-0:1.0.7-2.el5.src", "5Server:dovecot-0:1.0.7-2.el5.x86_64", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.i386", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.ia64", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.ppc", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.s390x", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.x86_64", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2007-2231", }, { category: "external", summary: "RHBZ#238439", url: "https://bugzilla.redhat.com/show_bug.cgi?id=238439", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2007-2231", url: "https://www.cve.org/CVERecord?id=CVE-2007-2231", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2007-2231", url: "https://nvd.nist.gov/vuln/detail/CVE-2007-2231", }, ], release_date: "2007-03-28T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2008-05-20T14:28:00+00:00", details: "Before applying this update, make sure that all previously-released\nerrata relevant to your system have been applied. \n\nThis update is available via Red Hat Network. Details on how to use \nthe Red Hat Network to apply this update are available at\nhttp://kbase.redhat.com/faq/FAQ_58_10188", product_ids: [ "5Client-Workstation:dovecot-0:1.0.7-2.el5.i386", "5Client-Workstation:dovecot-0:1.0.7-2.el5.ia64", "5Client-Workstation:dovecot-0:1.0.7-2.el5.ppc", "5Client-Workstation:dovecot-0:1.0.7-2.el5.s390x", "5Client-Workstation:dovecot-0:1.0.7-2.el5.src", "5Client-Workstation:dovecot-0:1.0.7-2.el5.x86_64", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.i386", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.ia64", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.ppc", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.s390x", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.x86_64", "5Server:dovecot-0:1.0.7-2.el5.i386", "5Server:dovecot-0:1.0.7-2.el5.ia64", "5Server:dovecot-0:1.0.7-2.el5.ppc", "5Server:dovecot-0:1.0.7-2.el5.s390x", "5Server:dovecot-0:1.0.7-2.el5.src", "5Server:dovecot-0:1.0.7-2.el5.x86_64", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.i386", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.ia64", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.ppc", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.s390x", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.x86_64", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2008:0297", }, ], threats: [ { category: "impact", details: "Low", }, ], title: "Directory traversal in dovecot with zlib plugin", }, { cve: "CVE-2007-4211", discovery_date: "2007-08-03T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "251007", }, ], notes: [ { category: "description", text: "The ACL plugin in Dovecot before 1.0.3 allows remote authenticated users with the insert right to save certain flags via a (1) COPY or (2) APPEND command.", title: "Vulnerability description", }, { category: "summary", text: "Dovecot possible privilege ascalation in ACL plugin", title: "Vulnerability summary", }, { category: "other", text: "These issues did not affect the dovecot versions as shipped with Red Hat Enterprise Linux 2.1, 3, or 4.", title: "Statement", }, ], product_status: { fixed: [ "5Client-Workstation:dovecot-0:1.0.7-2.el5.i386", "5Client-Workstation:dovecot-0:1.0.7-2.el5.ia64", "5Client-Workstation:dovecot-0:1.0.7-2.el5.ppc", "5Client-Workstation:dovecot-0:1.0.7-2.el5.s390x", "5Client-Workstation:dovecot-0:1.0.7-2.el5.src", "5Client-Workstation:dovecot-0:1.0.7-2.el5.x86_64", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.i386", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.ia64", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.ppc", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.s390x", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.x86_64", "5Server:dovecot-0:1.0.7-2.el5.i386", "5Server:dovecot-0:1.0.7-2.el5.ia64", "5Server:dovecot-0:1.0.7-2.el5.ppc", "5Server:dovecot-0:1.0.7-2.el5.s390x", "5Server:dovecot-0:1.0.7-2.el5.src", "5Server:dovecot-0:1.0.7-2.el5.x86_64", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.i386", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.ia64", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.ppc", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.s390x", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.x86_64", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2007-4211", }, { category: "external", summary: "RHBZ#251007", url: "https://bugzilla.redhat.com/show_bug.cgi?id=251007", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2007-4211", url: "https://www.cve.org/CVERecord?id=CVE-2007-4211", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2007-4211", url: "https://nvd.nist.gov/vuln/detail/CVE-2007-4211", }, ], release_date: "2007-08-01T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2008-05-20T14:28:00+00:00", details: "Before applying this update, make sure that all previously-released\nerrata relevant to your system have been applied. \n\nThis update is available via Red Hat Network. Details on how to use \nthe Red Hat Network to apply this update are available at\nhttp://kbase.redhat.com/faq/FAQ_58_10188", product_ids: [ "5Client-Workstation:dovecot-0:1.0.7-2.el5.i386", "5Client-Workstation:dovecot-0:1.0.7-2.el5.ia64", "5Client-Workstation:dovecot-0:1.0.7-2.el5.ppc", "5Client-Workstation:dovecot-0:1.0.7-2.el5.s390x", "5Client-Workstation:dovecot-0:1.0.7-2.el5.src", "5Client-Workstation:dovecot-0:1.0.7-2.el5.x86_64", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.i386", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.ia64", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.ppc", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.s390x", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.x86_64", "5Server:dovecot-0:1.0.7-2.el5.i386", "5Server:dovecot-0:1.0.7-2.el5.ia64", "5Server:dovecot-0:1.0.7-2.el5.ppc", "5Server:dovecot-0:1.0.7-2.el5.s390x", "5Server:dovecot-0:1.0.7-2.el5.src", "5Server:dovecot-0:1.0.7-2.el5.x86_64", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.i386", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.ia64", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.ppc", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.s390x", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.x86_64", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2008:0297", }, ], threats: [ { category: "impact", details: "Low", }, ], title: "Dovecot possible privilege ascalation in ACL plugin", }, { cve: "CVE-2007-6598", discovery_date: "2007-12-29T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "427575", }, ], notes: [ { category: "description", text: "Dovecot before 1.0.10, with certain configuration options including use of %variables, does not properly maintain the LDAP+auth cache, which might allow remote authenticated users to login as a different user who has the same password.", title: "Vulnerability description", }, { category: "summary", text: "dovecot LDAP+auth cache user login mixup", title: "Vulnerability summary", }, { category: "other", text: "This issue did not affect versions of Dovecot as shipped with Red Hat Enterprise Linux before version 5.", title: "Statement", }, ], product_status: { fixed: [ "5Client-Workstation:dovecot-0:1.0.7-2.el5.i386", "5Client-Workstation:dovecot-0:1.0.7-2.el5.ia64", "5Client-Workstation:dovecot-0:1.0.7-2.el5.ppc", "5Client-Workstation:dovecot-0:1.0.7-2.el5.s390x", "5Client-Workstation:dovecot-0:1.0.7-2.el5.src", "5Client-Workstation:dovecot-0:1.0.7-2.el5.x86_64", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.i386", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.ia64", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.ppc", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.s390x", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.x86_64", "5Server:dovecot-0:1.0.7-2.el5.i386", "5Server:dovecot-0:1.0.7-2.el5.ia64", "5Server:dovecot-0:1.0.7-2.el5.ppc", "5Server:dovecot-0:1.0.7-2.el5.s390x", "5Server:dovecot-0:1.0.7-2.el5.src", "5Server:dovecot-0:1.0.7-2.el5.x86_64", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.i386", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.ia64", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.ppc", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.s390x", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.x86_64", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2007-6598", }, { category: "external", summary: "RHBZ#427575", url: "https://bugzilla.redhat.com/show_bug.cgi?id=427575", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2007-6598", url: "https://www.cve.org/CVERecord?id=CVE-2007-6598", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2007-6598", url: "https://nvd.nist.gov/vuln/detail/CVE-2007-6598", }, ], release_date: "2007-12-29T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2008-05-20T14:28:00+00:00", details: "Before applying this update, make sure that all previously-released\nerrata relevant to your system have been applied. \n\nThis update is available via Red Hat Network. Details on how to use \nthe Red Hat Network to apply this update are available at\nhttp://kbase.redhat.com/faq/FAQ_58_10188", product_ids: [ "5Client-Workstation:dovecot-0:1.0.7-2.el5.i386", "5Client-Workstation:dovecot-0:1.0.7-2.el5.ia64", "5Client-Workstation:dovecot-0:1.0.7-2.el5.ppc", "5Client-Workstation:dovecot-0:1.0.7-2.el5.s390x", "5Client-Workstation:dovecot-0:1.0.7-2.el5.src", "5Client-Workstation:dovecot-0:1.0.7-2.el5.x86_64", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.i386", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.ia64", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.ppc", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.s390x", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.x86_64", "5Server:dovecot-0:1.0.7-2.el5.i386", "5Server:dovecot-0:1.0.7-2.el5.ia64", "5Server:dovecot-0:1.0.7-2.el5.ppc", "5Server:dovecot-0:1.0.7-2.el5.s390x", "5Server:dovecot-0:1.0.7-2.el5.src", "5Server:dovecot-0:1.0.7-2.el5.x86_64", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.i386", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.ia64", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.ppc", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.s390x", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.x86_64", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2008:0297", }, ], threats: [ { category: "impact", details: "Low", }, ], title: "dovecot LDAP+auth cache user login mixup", }, { cve: "CVE-2008-1199", discovery_date: "2008-03-01T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "436927", }, ], notes: [ { category: "description", text: "Dovecot before 1.0.11, when configured to use mail_extra_groups to allow Dovecot to create dotlocks in /var/mail, might allow local users to read sensitive mail files for other users, or modify files or directories that are writable by group, via a symlink attack.", title: "Vulnerability description", }, { category: "summary", text: "dovecot: insecure mail_extra_groups option", title: "Vulnerability summary", }, { category: "other", text: "This issue does not affect the default configuration of Dovecot as shipped in Red Hat Enterprise Linux.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "5Client-Workstation:dovecot-0:1.0.7-2.el5.i386", "5Client-Workstation:dovecot-0:1.0.7-2.el5.ia64", "5Client-Workstation:dovecot-0:1.0.7-2.el5.ppc", "5Client-Workstation:dovecot-0:1.0.7-2.el5.s390x", "5Client-Workstation:dovecot-0:1.0.7-2.el5.src", "5Client-Workstation:dovecot-0:1.0.7-2.el5.x86_64", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.i386", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.ia64", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.ppc", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.s390x", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.x86_64", "5Server:dovecot-0:1.0.7-2.el5.i386", "5Server:dovecot-0:1.0.7-2.el5.ia64", "5Server:dovecot-0:1.0.7-2.el5.ppc", "5Server:dovecot-0:1.0.7-2.el5.s390x", "5Server:dovecot-0:1.0.7-2.el5.src", "5Server:dovecot-0:1.0.7-2.el5.x86_64", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.i386", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.ia64", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.ppc", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.s390x", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.x86_64", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2008-1199", }, { category: "external", summary: "RHBZ#436927", url: "https://bugzilla.redhat.com/show_bug.cgi?id=436927", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2008-1199", url: "https://www.cve.org/CVERecord?id=CVE-2008-1199", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2008-1199", url: "https://nvd.nist.gov/vuln/detail/CVE-2008-1199", }, ], release_date: "2008-03-04T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2008-05-20T14:28:00+00:00", details: "Before applying this update, make sure that all previously-released\nerrata relevant to your system have been applied. \n\nThis update is available via Red Hat Network. Details on how to use \nthe Red Hat Network to apply this update are available at\nhttp://kbase.redhat.com/faq/FAQ_58_10188", product_ids: [ "5Client-Workstation:dovecot-0:1.0.7-2.el5.i386", "5Client-Workstation:dovecot-0:1.0.7-2.el5.ia64", "5Client-Workstation:dovecot-0:1.0.7-2.el5.ppc", "5Client-Workstation:dovecot-0:1.0.7-2.el5.s390x", "5Client-Workstation:dovecot-0:1.0.7-2.el5.src", "5Client-Workstation:dovecot-0:1.0.7-2.el5.x86_64", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.i386", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.ia64", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.ppc", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.s390x", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.x86_64", "5Server:dovecot-0:1.0.7-2.el5.i386", "5Server:dovecot-0:1.0.7-2.el5.ia64", "5Server:dovecot-0:1.0.7-2.el5.ppc", "5Server:dovecot-0:1.0.7-2.el5.s390x", "5Server:dovecot-0:1.0.7-2.el5.src", "5Server:dovecot-0:1.0.7-2.el5.x86_64", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.i386", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.ia64", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.ppc", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.s390x", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.x86_64", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2008:0297", }, ], scores: [ { cvss_v2: { accessComplexity: "HIGH", accessVector: "LOCAL", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 3.7, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:L/AC:H/Au:N/C:P/I:P/A:P", version: "2.0", }, products: [ "5Client-Workstation:dovecot-0:1.0.7-2.el5.i386", "5Client-Workstation:dovecot-0:1.0.7-2.el5.ia64", "5Client-Workstation:dovecot-0:1.0.7-2.el5.ppc", "5Client-Workstation:dovecot-0:1.0.7-2.el5.s390x", "5Client-Workstation:dovecot-0:1.0.7-2.el5.src", "5Client-Workstation:dovecot-0:1.0.7-2.el5.x86_64", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.i386", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.ia64", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.ppc", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.s390x", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.x86_64", "5Server:dovecot-0:1.0.7-2.el5.i386", "5Server:dovecot-0:1.0.7-2.el5.ia64", "5Server:dovecot-0:1.0.7-2.el5.ppc", "5Server:dovecot-0:1.0.7-2.el5.s390x", "5Server:dovecot-0:1.0.7-2.el5.src", "5Server:dovecot-0:1.0.7-2.el5.x86_64", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.i386", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.ia64", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.ppc", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.s390x", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.x86_64", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "dovecot: insecure mail_extra_groups option", }, ], }
rhsa-2008_0297
Vulnerability from csaf_redhat
Published
2008-05-20 14:28
Modified
2024-11-22 01:40
Summary
Red Hat Security Advisory: dovecot security and bug fix update
Notes
Topic
An updated dovecot package that fixes several security issues and various
bugs is now available for Red Hat Enterprise Linux 5.
This update has been rated as having low security impact by the Red Hat
Security Response Team.
Details
Dovecot is an IMAP server for Linux and UNIX-like systems, primarily
written with security in mind.
A flaw was discovered in the way Dovecot handled the "mail_extra_groups"
option. An authenticated attacker with local shell access could leverage
this flaw to read, modify, or delete other users mail that is stored on
the mail server. (CVE-2008-1199)
This issue did not affect the default Red Hat Enterprise Linux 5 Dovecot
configuration. This update adds two new configuration options --
"mail_privileged_group" and "mail_access_groups" -- to minimize the usage
of additional privileges.
A directory traversal flaw was discovered in Dovecot's zlib plug-in. An
authenticated user could use this flaw to view other compressed mailboxes
with the permissions of the Dovecot process. (CVE-2007-2231)
A flaw was found in the Dovecot ACL plug-in. User with only insert
permissions for a mailbox could use the "COPY" and "APPEND" commands to set
additional message flags. (CVE-2007-4211)
A flaw was found in a way Dovecot cached LDAP query results in certain
configurations. This could possibly allow authenticated users to log in as
a different user who has the same password. (CVE-2007-6598)
As well, this updated package fixes the following bugs:
* configuring "userdb" and "passdb" to use LDAP caused Dovecot to hang. A
segmentation fault may have occurred. In this updated package, using an
LDAP backend for "userdb" and "passdb" no longer causes Dovecot to hang.
* the Dovecot "login_process_size" limit was configured for 32-bit systems.
On 64-bit systems, when Dovecot was configured to use either IMAP or POP3,
the log in processes crashed with out-of-memory errors. Errors such as the
following were logged:
pop3-login: pop3-login: error while loading shared libraries:
libsepol.so.1: failed to map segment from shared object: Cannot allocate
memory
In this updated package, the "login_process_size" limit is correctly
configured on 64-bit systems, which resolves this issue.
Note: this updated package upgrades dovecot to version 1.0.7. For
further details, refer to the Dovecot changelog:
http://koji.fedoraproject.org/koji/buildinfo?buildID=23397
Users of dovecot are advised to upgrade to this updated package, which
resolves these issues.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Low", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "An updated dovecot package that fixes several security issues and various\nbugs is now available for Red Hat Enterprise Linux 5.\n\nThis update has been rated as having low security impact by the Red Hat\nSecurity Response Team.", title: "Topic", }, { category: "general", text: "Dovecot is an IMAP server for Linux and UNIX-like systems, primarily\nwritten with security in mind.\n\nA flaw was discovered in the way Dovecot handled the \"mail_extra_groups\"\noption. An authenticated attacker with local shell access could leverage\nthis flaw to read, modify, or delete other users mail that is stored on\nthe mail server. (CVE-2008-1199)\n\nThis issue did not affect the default Red Hat Enterprise Linux 5 Dovecot\nconfiguration. This update adds two new configuration options --\n\"mail_privileged_group\" and \"mail_access_groups\" -- to minimize the usage\nof additional privileges.\n\nA directory traversal flaw was discovered in Dovecot's zlib plug-in. An\nauthenticated user could use this flaw to view other compressed mailboxes\nwith the permissions of the Dovecot process. (CVE-2007-2231)\n\nA flaw was found in the Dovecot ACL plug-in. User with only insert\npermissions for a mailbox could use the \"COPY\" and \"APPEND\" commands to set\nadditional message flags. (CVE-2007-4211)\n\nA flaw was found in a way Dovecot cached LDAP query results in certain\nconfigurations. This could possibly allow authenticated users to log in as\na different user who has the same password. (CVE-2007-6598)\n\nAs well, this updated package fixes the following bugs:\n\n* configuring \"userdb\" and \"passdb\" to use LDAP caused Dovecot to hang. A\nsegmentation fault may have occurred. In this updated package, using an\nLDAP backend for \"userdb\" and \"passdb\" no longer causes Dovecot to hang.\n\n* the Dovecot \"login_process_size\" limit was configured for 32-bit systems.\nOn 64-bit systems, when Dovecot was configured to use either IMAP or POP3,\nthe log in processes crashed with out-of-memory errors. Errors such as the\nfollowing were logged:\n\npop3-login: pop3-login: error while loading shared libraries:\nlibsepol.so.1: failed to map segment from shared object: Cannot allocate\nmemory\n\nIn this updated package, the \"login_process_size\" limit is correctly\nconfigured on 64-bit systems, which resolves this issue.\n\nNote: this updated package upgrades dovecot to version 1.0.7. For\nfurther details, refer to the Dovecot changelog:\nhttp://koji.fedoraproject.org/koji/buildinfo?buildID=23397\n\nUsers of dovecot are advised to upgrade to this updated package, which\nresolves these issues.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2008:0297", url: "https://access.redhat.com/errata/RHSA-2008:0297", }, { category: "external", summary: "http://www.redhat.com/security/updates/classification/#low", url: "http://www.redhat.com/security/updates/classification/#low", }, { category: "external", summary: "238439", url: "https://bugzilla.redhat.com/show_bug.cgi?id=238439", }, { category: "external", summary: "245249", url: "https://bugzilla.redhat.com/show_bug.cgi?id=245249", }, { category: "external", summary: "251007", url: "https://bugzilla.redhat.com/show_bug.cgi?id=251007", }, { category: "external", summary: "253363", url: "https://bugzilla.redhat.com/show_bug.cgi?id=253363", }, { category: "external", summary: "331441", url: "https://bugzilla.redhat.com/show_bug.cgi?id=331441", }, { category: "external", summary: "380401", url: "https://bugzilla.redhat.com/show_bug.cgi?id=380401", }, { category: "external", summary: "427575", url: "https://bugzilla.redhat.com/show_bug.cgi?id=427575", }, { category: "external", summary: "436927", url: "https://bugzilla.redhat.com/show_bug.cgi?id=436927", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2008/rhsa-2008_0297.json", }, ], title: "Red Hat Security Advisory: dovecot security and bug fix update", tracking: { current_release_date: "2024-11-22T01:40:32+00:00", generator: { date: "2024-11-22T01:40:32+00:00", engine: { name: "Red Hat SDEngine", version: "4.2.1", }, }, id: "RHSA-2008:0297", initial_release_date: "2008-05-20T14:28:00+00:00", revision_history: [ { date: "2008-05-20T14:28:00+00:00", number: "1", summary: "Initial version", }, { date: "2008-05-21T10:20:08+00:00", number: "2", summary: "Last updated version", }, { date: "2024-11-22T01:40:32+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product: { name: "Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation", product_identification_helper: { cpe: "cpe:/o:redhat:enterprise_linux:5::client_workstation", }, }, }, { category: "product_name", name: "Red Hat Enterprise Linux (v. 5 server)", product: { name: "Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server", product_identification_helper: { cpe: "cpe:/o:redhat:enterprise_linux:5::server", }, }, }, ], category: "product_family", name: "Red Hat Enterprise Linux", }, { branches: [ { category: "product_version", name: "dovecot-0:1.0.7-2.el5.src", product: { name: "dovecot-0:1.0.7-2.el5.src", product_id: "dovecot-0:1.0.7-2.el5.src", product_identification_helper: { purl: "pkg:rpm/redhat/dovecot@1.0.7-2.el5?arch=src", }, }, }, ], category: "architecture", name: "src", }, { branches: [ { category: "product_version", name: "dovecot-0:1.0.7-2.el5.x86_64", product: { name: "dovecot-0:1.0.7-2.el5.x86_64", product_id: "dovecot-0:1.0.7-2.el5.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/dovecot@1.0.7-2.el5?arch=x86_64", }, }, }, { category: "product_version", name: "dovecot-debuginfo-0:1.0.7-2.el5.x86_64", product: { name: "dovecot-debuginfo-0:1.0.7-2.el5.x86_64", product_id: "dovecot-debuginfo-0:1.0.7-2.el5.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/dovecot-debuginfo@1.0.7-2.el5?arch=x86_64", }, }, }, ], category: "architecture", name: "x86_64", }, { branches: [ { category: "product_version", name: "dovecot-0:1.0.7-2.el5.i386", product: { name: "dovecot-0:1.0.7-2.el5.i386", product_id: "dovecot-0:1.0.7-2.el5.i386", product_identification_helper: { purl: "pkg:rpm/redhat/dovecot@1.0.7-2.el5?arch=i386", }, }, }, { category: "product_version", name: "dovecot-debuginfo-0:1.0.7-2.el5.i386", product: { name: "dovecot-debuginfo-0:1.0.7-2.el5.i386", product_id: "dovecot-debuginfo-0:1.0.7-2.el5.i386", product_identification_helper: { purl: "pkg:rpm/redhat/dovecot-debuginfo@1.0.7-2.el5?arch=i386", }, }, }, ], category: "architecture", name: "i386", }, { branches: [ { category: "product_version", name: "dovecot-0:1.0.7-2.el5.ia64", product: { name: "dovecot-0:1.0.7-2.el5.ia64", product_id: "dovecot-0:1.0.7-2.el5.ia64", product_identification_helper: { purl: "pkg:rpm/redhat/dovecot@1.0.7-2.el5?arch=ia64", }, }, }, { category: "product_version", name: "dovecot-debuginfo-0:1.0.7-2.el5.ia64", product: { name: "dovecot-debuginfo-0:1.0.7-2.el5.ia64", product_id: "dovecot-debuginfo-0:1.0.7-2.el5.ia64", product_identification_helper: { purl: "pkg:rpm/redhat/dovecot-debuginfo@1.0.7-2.el5?arch=ia64", }, }, }, ], category: "architecture", name: "ia64", }, { branches: [ { category: "product_version", name: "dovecot-0:1.0.7-2.el5.ppc", product: { name: "dovecot-0:1.0.7-2.el5.ppc", product_id: "dovecot-0:1.0.7-2.el5.ppc", product_identification_helper: { purl: "pkg:rpm/redhat/dovecot@1.0.7-2.el5?arch=ppc", }, }, }, { category: "product_version", name: "dovecot-debuginfo-0:1.0.7-2.el5.ppc", product: { name: "dovecot-debuginfo-0:1.0.7-2.el5.ppc", product_id: "dovecot-debuginfo-0:1.0.7-2.el5.ppc", product_identification_helper: { purl: "pkg:rpm/redhat/dovecot-debuginfo@1.0.7-2.el5?arch=ppc", }, }, }, ], category: "architecture", name: "ppc", }, { branches: [ { category: "product_version", name: "dovecot-0:1.0.7-2.el5.s390x", product: { name: "dovecot-0:1.0.7-2.el5.s390x", product_id: "dovecot-0:1.0.7-2.el5.s390x", product_identification_helper: { purl: "pkg:rpm/redhat/dovecot@1.0.7-2.el5?arch=s390x", }, }, }, { category: "product_version", name: "dovecot-debuginfo-0:1.0.7-2.el5.s390x", product: { name: "dovecot-debuginfo-0:1.0.7-2.el5.s390x", product_id: "dovecot-debuginfo-0:1.0.7-2.el5.s390x", product_identification_helper: { purl: "pkg:rpm/redhat/dovecot-debuginfo@1.0.7-2.el5?arch=s390x", }, }, }, ], category: "architecture", name: "s390x", }, ], category: "vendor", name: "Red Hat", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "dovecot-0:1.0.7-2.el5.i386 as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation:dovecot-0:1.0.7-2.el5.i386", }, product_reference: "dovecot-0:1.0.7-2.el5.i386", relates_to_product_reference: "5Client-Workstation", }, { category: "default_component_of", full_product_name: { name: "dovecot-0:1.0.7-2.el5.ia64 as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation:dovecot-0:1.0.7-2.el5.ia64", }, product_reference: "dovecot-0:1.0.7-2.el5.ia64", relates_to_product_reference: "5Client-Workstation", }, { category: "default_component_of", full_product_name: { name: "dovecot-0:1.0.7-2.el5.ppc as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation:dovecot-0:1.0.7-2.el5.ppc", }, product_reference: "dovecot-0:1.0.7-2.el5.ppc", relates_to_product_reference: "5Client-Workstation", }, { category: "default_component_of", full_product_name: { name: "dovecot-0:1.0.7-2.el5.s390x as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation:dovecot-0:1.0.7-2.el5.s390x", }, product_reference: "dovecot-0:1.0.7-2.el5.s390x", relates_to_product_reference: "5Client-Workstation", }, { category: "default_component_of", full_product_name: { name: "dovecot-0:1.0.7-2.el5.src as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation:dovecot-0:1.0.7-2.el5.src", }, product_reference: "dovecot-0:1.0.7-2.el5.src", relates_to_product_reference: "5Client-Workstation", }, { category: "default_component_of", full_product_name: { name: "dovecot-0:1.0.7-2.el5.x86_64 as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation:dovecot-0:1.0.7-2.el5.x86_64", }, product_reference: "dovecot-0:1.0.7-2.el5.x86_64", relates_to_product_reference: "5Client-Workstation", }, { category: "default_component_of", full_product_name: { name: "dovecot-debuginfo-0:1.0.7-2.el5.i386 as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.i386", }, product_reference: "dovecot-debuginfo-0:1.0.7-2.el5.i386", relates_to_product_reference: "5Client-Workstation", }, { category: "default_component_of", full_product_name: { name: "dovecot-debuginfo-0:1.0.7-2.el5.ia64 as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.ia64", }, product_reference: "dovecot-debuginfo-0:1.0.7-2.el5.ia64", relates_to_product_reference: "5Client-Workstation", }, { category: "default_component_of", full_product_name: { name: "dovecot-debuginfo-0:1.0.7-2.el5.ppc as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.ppc", }, product_reference: "dovecot-debuginfo-0:1.0.7-2.el5.ppc", relates_to_product_reference: "5Client-Workstation", }, { category: "default_component_of", full_product_name: { name: "dovecot-debuginfo-0:1.0.7-2.el5.s390x as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.s390x", }, product_reference: "dovecot-debuginfo-0:1.0.7-2.el5.s390x", relates_to_product_reference: "5Client-Workstation", }, { category: "default_component_of", full_product_name: { name: "dovecot-debuginfo-0:1.0.7-2.el5.x86_64 as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.x86_64", }, product_reference: "dovecot-debuginfo-0:1.0.7-2.el5.x86_64", relates_to_product_reference: "5Client-Workstation", }, { category: "default_component_of", full_product_name: { name: "dovecot-0:1.0.7-2.el5.i386 as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server:dovecot-0:1.0.7-2.el5.i386", }, product_reference: "dovecot-0:1.0.7-2.el5.i386", relates_to_product_reference: "5Server", }, { category: "default_component_of", full_product_name: { name: "dovecot-0:1.0.7-2.el5.ia64 as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server:dovecot-0:1.0.7-2.el5.ia64", }, product_reference: "dovecot-0:1.0.7-2.el5.ia64", relates_to_product_reference: "5Server", }, { category: "default_component_of", full_product_name: { name: "dovecot-0:1.0.7-2.el5.ppc as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server:dovecot-0:1.0.7-2.el5.ppc", }, product_reference: "dovecot-0:1.0.7-2.el5.ppc", relates_to_product_reference: "5Server", }, { category: "default_component_of", full_product_name: { name: "dovecot-0:1.0.7-2.el5.s390x as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server:dovecot-0:1.0.7-2.el5.s390x", }, product_reference: "dovecot-0:1.0.7-2.el5.s390x", relates_to_product_reference: "5Server", }, { category: "default_component_of", full_product_name: { name: "dovecot-0:1.0.7-2.el5.src as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server:dovecot-0:1.0.7-2.el5.src", }, product_reference: "dovecot-0:1.0.7-2.el5.src", relates_to_product_reference: "5Server", }, { category: "default_component_of", full_product_name: { name: "dovecot-0:1.0.7-2.el5.x86_64 as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server:dovecot-0:1.0.7-2.el5.x86_64", }, product_reference: "dovecot-0:1.0.7-2.el5.x86_64", relates_to_product_reference: "5Server", }, { category: "default_component_of", full_product_name: { name: "dovecot-debuginfo-0:1.0.7-2.el5.i386 as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server:dovecot-debuginfo-0:1.0.7-2.el5.i386", }, product_reference: "dovecot-debuginfo-0:1.0.7-2.el5.i386", relates_to_product_reference: "5Server", }, { category: "default_component_of", full_product_name: { name: "dovecot-debuginfo-0:1.0.7-2.el5.ia64 as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server:dovecot-debuginfo-0:1.0.7-2.el5.ia64", }, product_reference: "dovecot-debuginfo-0:1.0.7-2.el5.ia64", relates_to_product_reference: "5Server", }, { category: "default_component_of", full_product_name: { name: "dovecot-debuginfo-0:1.0.7-2.el5.ppc as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server:dovecot-debuginfo-0:1.0.7-2.el5.ppc", }, product_reference: "dovecot-debuginfo-0:1.0.7-2.el5.ppc", relates_to_product_reference: "5Server", }, { category: "default_component_of", full_product_name: { name: "dovecot-debuginfo-0:1.0.7-2.el5.s390x as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server:dovecot-debuginfo-0:1.0.7-2.el5.s390x", }, product_reference: "dovecot-debuginfo-0:1.0.7-2.el5.s390x", relates_to_product_reference: "5Server", }, { category: "default_component_of", full_product_name: { name: "dovecot-debuginfo-0:1.0.7-2.el5.x86_64 as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server:dovecot-debuginfo-0:1.0.7-2.el5.x86_64", }, product_reference: "dovecot-debuginfo-0:1.0.7-2.el5.x86_64", relates_to_product_reference: "5Server", }, ], }, vulnerabilities: [ { cve: "CVE-2007-2231", discovery_date: "2007-04-25T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "238439", }, ], notes: [ { category: "description", text: "Directory traversal vulnerability in index/mbox/mbox-storage.c in Dovecot before 1.0.rc29, when using the zlib plugin, allows remote attackers to read arbitrary gzipped (.gz) mailboxes (mbox files) via a .. (dot dot) sequence in the mailbox name.", title: "Vulnerability description", }, { category: "summary", text: "Directory traversal in dovecot with zlib plugin", title: "Vulnerability summary", }, { category: "other", text: "This issue did not affect Red Hat Enterprise Linux prior to version 5.", title: "Statement", }, ], product_status: { fixed: [ "5Client-Workstation:dovecot-0:1.0.7-2.el5.i386", "5Client-Workstation:dovecot-0:1.0.7-2.el5.ia64", "5Client-Workstation:dovecot-0:1.0.7-2.el5.ppc", "5Client-Workstation:dovecot-0:1.0.7-2.el5.s390x", "5Client-Workstation:dovecot-0:1.0.7-2.el5.src", "5Client-Workstation:dovecot-0:1.0.7-2.el5.x86_64", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.i386", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.ia64", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.ppc", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.s390x", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.x86_64", "5Server:dovecot-0:1.0.7-2.el5.i386", "5Server:dovecot-0:1.0.7-2.el5.ia64", "5Server:dovecot-0:1.0.7-2.el5.ppc", "5Server:dovecot-0:1.0.7-2.el5.s390x", "5Server:dovecot-0:1.0.7-2.el5.src", "5Server:dovecot-0:1.0.7-2.el5.x86_64", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.i386", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.ia64", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.ppc", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.s390x", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.x86_64", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2007-2231", }, { category: "external", summary: "RHBZ#238439", url: "https://bugzilla.redhat.com/show_bug.cgi?id=238439", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2007-2231", url: "https://www.cve.org/CVERecord?id=CVE-2007-2231", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2007-2231", url: "https://nvd.nist.gov/vuln/detail/CVE-2007-2231", }, ], release_date: "2007-03-28T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2008-05-20T14:28:00+00:00", details: "Before applying this update, make sure that all previously-released\nerrata relevant to your system have been applied. \n\nThis update is available via Red Hat Network. Details on how to use \nthe Red Hat Network to apply this update are available at\nhttp://kbase.redhat.com/faq/FAQ_58_10188", product_ids: [ "5Client-Workstation:dovecot-0:1.0.7-2.el5.i386", "5Client-Workstation:dovecot-0:1.0.7-2.el5.ia64", "5Client-Workstation:dovecot-0:1.0.7-2.el5.ppc", "5Client-Workstation:dovecot-0:1.0.7-2.el5.s390x", "5Client-Workstation:dovecot-0:1.0.7-2.el5.src", "5Client-Workstation:dovecot-0:1.0.7-2.el5.x86_64", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.i386", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.ia64", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.ppc", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.s390x", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.x86_64", "5Server:dovecot-0:1.0.7-2.el5.i386", "5Server:dovecot-0:1.0.7-2.el5.ia64", "5Server:dovecot-0:1.0.7-2.el5.ppc", "5Server:dovecot-0:1.0.7-2.el5.s390x", "5Server:dovecot-0:1.0.7-2.el5.src", "5Server:dovecot-0:1.0.7-2.el5.x86_64", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.i386", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.ia64", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.ppc", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.s390x", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.x86_64", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2008:0297", }, ], threats: [ { category: "impact", details: "Low", }, ], title: "Directory traversal in dovecot with zlib plugin", }, { cve: "CVE-2007-4211", discovery_date: "2007-08-03T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "251007", }, ], notes: [ { category: "description", text: "The ACL plugin in Dovecot before 1.0.3 allows remote authenticated users with the insert right to save certain flags via a (1) COPY or (2) APPEND command.", title: "Vulnerability description", }, { category: "summary", text: "Dovecot possible privilege ascalation in ACL plugin", title: "Vulnerability summary", }, { category: "other", text: "These issues did not affect the dovecot versions as shipped with Red Hat Enterprise Linux 2.1, 3, or 4.", title: "Statement", }, ], product_status: { fixed: [ "5Client-Workstation:dovecot-0:1.0.7-2.el5.i386", "5Client-Workstation:dovecot-0:1.0.7-2.el5.ia64", "5Client-Workstation:dovecot-0:1.0.7-2.el5.ppc", "5Client-Workstation:dovecot-0:1.0.7-2.el5.s390x", "5Client-Workstation:dovecot-0:1.0.7-2.el5.src", "5Client-Workstation:dovecot-0:1.0.7-2.el5.x86_64", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.i386", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.ia64", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.ppc", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.s390x", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.x86_64", "5Server:dovecot-0:1.0.7-2.el5.i386", "5Server:dovecot-0:1.0.7-2.el5.ia64", "5Server:dovecot-0:1.0.7-2.el5.ppc", "5Server:dovecot-0:1.0.7-2.el5.s390x", "5Server:dovecot-0:1.0.7-2.el5.src", "5Server:dovecot-0:1.0.7-2.el5.x86_64", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.i386", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.ia64", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.ppc", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.s390x", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.x86_64", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2007-4211", }, { category: "external", summary: "RHBZ#251007", url: "https://bugzilla.redhat.com/show_bug.cgi?id=251007", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2007-4211", url: "https://www.cve.org/CVERecord?id=CVE-2007-4211", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2007-4211", url: "https://nvd.nist.gov/vuln/detail/CVE-2007-4211", }, ], release_date: "2007-08-01T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2008-05-20T14:28:00+00:00", details: "Before applying this update, make sure that all previously-released\nerrata relevant to your system have been applied. \n\nThis update is available via Red Hat Network. Details on how to use \nthe Red Hat Network to apply this update are available at\nhttp://kbase.redhat.com/faq/FAQ_58_10188", product_ids: [ "5Client-Workstation:dovecot-0:1.0.7-2.el5.i386", "5Client-Workstation:dovecot-0:1.0.7-2.el5.ia64", "5Client-Workstation:dovecot-0:1.0.7-2.el5.ppc", "5Client-Workstation:dovecot-0:1.0.7-2.el5.s390x", "5Client-Workstation:dovecot-0:1.0.7-2.el5.src", "5Client-Workstation:dovecot-0:1.0.7-2.el5.x86_64", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.i386", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.ia64", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.ppc", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.s390x", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.x86_64", "5Server:dovecot-0:1.0.7-2.el5.i386", "5Server:dovecot-0:1.0.7-2.el5.ia64", "5Server:dovecot-0:1.0.7-2.el5.ppc", "5Server:dovecot-0:1.0.7-2.el5.s390x", "5Server:dovecot-0:1.0.7-2.el5.src", "5Server:dovecot-0:1.0.7-2.el5.x86_64", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.i386", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.ia64", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.ppc", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.s390x", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.x86_64", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2008:0297", }, ], threats: [ { category: "impact", details: "Low", }, ], title: "Dovecot possible privilege ascalation in ACL plugin", }, { cve: "CVE-2007-6598", discovery_date: "2007-12-29T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "427575", }, ], notes: [ { category: "description", text: "Dovecot before 1.0.10, with certain configuration options including use of %variables, does not properly maintain the LDAP+auth cache, which might allow remote authenticated users to login as a different user who has the same password.", title: "Vulnerability description", }, { category: "summary", text: "dovecot LDAP+auth cache user login mixup", title: "Vulnerability summary", }, { category: "other", text: "This issue did not affect versions of Dovecot as shipped with Red Hat Enterprise Linux before version 5.", title: "Statement", }, ], product_status: { fixed: [ "5Client-Workstation:dovecot-0:1.0.7-2.el5.i386", "5Client-Workstation:dovecot-0:1.0.7-2.el5.ia64", "5Client-Workstation:dovecot-0:1.0.7-2.el5.ppc", "5Client-Workstation:dovecot-0:1.0.7-2.el5.s390x", "5Client-Workstation:dovecot-0:1.0.7-2.el5.src", "5Client-Workstation:dovecot-0:1.0.7-2.el5.x86_64", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.i386", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.ia64", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.ppc", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.s390x", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.x86_64", "5Server:dovecot-0:1.0.7-2.el5.i386", "5Server:dovecot-0:1.0.7-2.el5.ia64", "5Server:dovecot-0:1.0.7-2.el5.ppc", "5Server:dovecot-0:1.0.7-2.el5.s390x", "5Server:dovecot-0:1.0.7-2.el5.src", "5Server:dovecot-0:1.0.7-2.el5.x86_64", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.i386", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.ia64", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.ppc", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.s390x", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.x86_64", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2007-6598", }, { category: "external", summary: "RHBZ#427575", url: "https://bugzilla.redhat.com/show_bug.cgi?id=427575", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2007-6598", url: "https://www.cve.org/CVERecord?id=CVE-2007-6598", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2007-6598", url: "https://nvd.nist.gov/vuln/detail/CVE-2007-6598", }, ], release_date: "2007-12-29T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2008-05-20T14:28:00+00:00", details: "Before applying this update, make sure that all previously-released\nerrata relevant to your system have been applied. \n\nThis update is available via Red Hat Network. Details on how to use \nthe Red Hat Network to apply this update are available at\nhttp://kbase.redhat.com/faq/FAQ_58_10188", product_ids: [ "5Client-Workstation:dovecot-0:1.0.7-2.el5.i386", "5Client-Workstation:dovecot-0:1.0.7-2.el5.ia64", "5Client-Workstation:dovecot-0:1.0.7-2.el5.ppc", "5Client-Workstation:dovecot-0:1.0.7-2.el5.s390x", "5Client-Workstation:dovecot-0:1.0.7-2.el5.src", "5Client-Workstation:dovecot-0:1.0.7-2.el5.x86_64", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.i386", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.ia64", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.ppc", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.s390x", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.x86_64", "5Server:dovecot-0:1.0.7-2.el5.i386", "5Server:dovecot-0:1.0.7-2.el5.ia64", "5Server:dovecot-0:1.0.7-2.el5.ppc", "5Server:dovecot-0:1.0.7-2.el5.s390x", "5Server:dovecot-0:1.0.7-2.el5.src", "5Server:dovecot-0:1.0.7-2.el5.x86_64", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.i386", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.ia64", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.ppc", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.s390x", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.x86_64", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2008:0297", }, ], threats: [ { category: "impact", details: "Low", }, ], title: "dovecot LDAP+auth cache user login mixup", }, { cve: "CVE-2008-1199", discovery_date: "2008-03-01T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "436927", }, ], notes: [ { category: "description", text: "Dovecot before 1.0.11, when configured to use mail_extra_groups to allow Dovecot to create dotlocks in /var/mail, might allow local users to read sensitive mail files for other users, or modify files or directories that are writable by group, via a symlink attack.", title: "Vulnerability description", }, { category: "summary", text: "dovecot: insecure mail_extra_groups option", title: "Vulnerability summary", }, { category: "other", text: "This issue does not affect the default configuration of Dovecot as shipped in Red Hat Enterprise Linux.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "5Client-Workstation:dovecot-0:1.0.7-2.el5.i386", "5Client-Workstation:dovecot-0:1.0.7-2.el5.ia64", "5Client-Workstation:dovecot-0:1.0.7-2.el5.ppc", "5Client-Workstation:dovecot-0:1.0.7-2.el5.s390x", "5Client-Workstation:dovecot-0:1.0.7-2.el5.src", "5Client-Workstation:dovecot-0:1.0.7-2.el5.x86_64", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.i386", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.ia64", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.ppc", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.s390x", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.x86_64", "5Server:dovecot-0:1.0.7-2.el5.i386", "5Server:dovecot-0:1.0.7-2.el5.ia64", "5Server:dovecot-0:1.0.7-2.el5.ppc", "5Server:dovecot-0:1.0.7-2.el5.s390x", "5Server:dovecot-0:1.0.7-2.el5.src", "5Server:dovecot-0:1.0.7-2.el5.x86_64", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.i386", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.ia64", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.ppc", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.s390x", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.x86_64", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2008-1199", }, { category: "external", summary: "RHBZ#436927", url: "https://bugzilla.redhat.com/show_bug.cgi?id=436927", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2008-1199", url: "https://www.cve.org/CVERecord?id=CVE-2008-1199", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2008-1199", url: "https://nvd.nist.gov/vuln/detail/CVE-2008-1199", }, ], release_date: "2008-03-04T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2008-05-20T14:28:00+00:00", details: "Before applying this update, make sure that all previously-released\nerrata relevant to your system have been applied. \n\nThis update is available via Red Hat Network. Details on how to use \nthe Red Hat Network to apply this update are available at\nhttp://kbase.redhat.com/faq/FAQ_58_10188", product_ids: [ "5Client-Workstation:dovecot-0:1.0.7-2.el5.i386", "5Client-Workstation:dovecot-0:1.0.7-2.el5.ia64", "5Client-Workstation:dovecot-0:1.0.7-2.el5.ppc", "5Client-Workstation:dovecot-0:1.0.7-2.el5.s390x", "5Client-Workstation:dovecot-0:1.0.7-2.el5.src", "5Client-Workstation:dovecot-0:1.0.7-2.el5.x86_64", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.i386", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.ia64", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.ppc", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.s390x", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.x86_64", "5Server:dovecot-0:1.0.7-2.el5.i386", "5Server:dovecot-0:1.0.7-2.el5.ia64", "5Server:dovecot-0:1.0.7-2.el5.ppc", "5Server:dovecot-0:1.0.7-2.el5.s390x", "5Server:dovecot-0:1.0.7-2.el5.src", "5Server:dovecot-0:1.0.7-2.el5.x86_64", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.i386", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.ia64", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.ppc", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.s390x", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.x86_64", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2008:0297", }, ], scores: [ { cvss_v2: { accessComplexity: "HIGH", accessVector: "LOCAL", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 3.7, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:L/AC:H/Au:N/C:P/I:P/A:P", version: "2.0", }, products: [ "5Client-Workstation:dovecot-0:1.0.7-2.el5.i386", "5Client-Workstation:dovecot-0:1.0.7-2.el5.ia64", "5Client-Workstation:dovecot-0:1.0.7-2.el5.ppc", "5Client-Workstation:dovecot-0:1.0.7-2.el5.s390x", "5Client-Workstation:dovecot-0:1.0.7-2.el5.src", "5Client-Workstation:dovecot-0:1.0.7-2.el5.x86_64", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.i386", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.ia64", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.ppc", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.s390x", "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.x86_64", "5Server:dovecot-0:1.0.7-2.el5.i386", "5Server:dovecot-0:1.0.7-2.el5.ia64", "5Server:dovecot-0:1.0.7-2.el5.ppc", "5Server:dovecot-0:1.0.7-2.el5.s390x", "5Server:dovecot-0:1.0.7-2.el5.src", "5Server:dovecot-0:1.0.7-2.el5.x86_64", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.i386", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.ia64", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.ppc", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.s390x", "5Server:dovecot-debuginfo-0:1.0.7-2.el5.x86_64", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "dovecot: insecure mail_extra_groups option", }, ], }
gsd-2007-2231
Vulnerability from gsd
Modified
2023-12-13 01:21
Details
Directory traversal vulnerability in index/mbox/mbox-storage.c in Dovecot before 1.0.rc29, when using the zlib plugin, allows remote attackers to read arbitrary gzipped (.gz) mailboxes (mbox files) via a .. (dot dot) sequence in the mailbox name.
Aliases
Aliases
{ GSD: { alias: "CVE-2007-2231", description: "Directory traversal vulnerability in index/mbox/mbox-storage.c in Dovecot before 1.0.rc29, when using the zlib plugin, allows remote attackers to read arbitrary gzipped (.gz) mailboxes (mbox files) via a .. (dot dot) sequence in the mailbox name.", id: "GSD-2007-2231", references: [ "https://www.suse.com/security/cve/CVE-2007-2231.html", "https://www.debian.org/security/2007/dsa-1359", "https://access.redhat.com/errata/RHSA-2008:0297", "https://linux.oracle.com/cve/CVE-2007-2231.html", ], }, gsd: { metadata: { exploitCode: "unknown", remediation: "unknown", reportConfidence: "confirmed", type: "vulnerability", }, osvSchema: { aliases: [ "CVE-2007-2231", ], details: "Directory traversal vulnerability in index/mbox/mbox-storage.c in Dovecot before 1.0.rc29, when using the zlib plugin, allows remote attackers to read arbitrary gzipped (.gz) mailboxes (mbox files) via a .. (dot dot) sequence in the mailbox name.", id: "GSD-2007-2231", modified: "2023-12-13T01:21:37.282238Z", schema_version: "1.4.0", }, }, namespaces: { "cve.org": { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2007-2231", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Directory traversal vulnerability in index/mbox/mbox-storage.c in Dovecot before 1.0.rc29, when using the zlib plugin, allows remote attackers to read arbitrary gzipped (.gz) mailboxes (mbox files) via a .. (dot dot) sequence in the mailbox name.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "USN-487-1", refsource: "UBUNTU", url: "http://www.ubuntu.com/usn/usn-487-1", }, { name: "30342", refsource: "SECUNIA", url: "http://secunia.com/advisories/30342", }, { name: "RHSA-2008:0297", refsource: "REDHAT", url: "http://www.redhat.com/support/errata/RHSA-2008-0297.html", }, { name: "23552", refsource: "BID", url: "http://www.securityfocus.com/bid/23552", }, { name: "DSA-1359", refsource: "DEBIAN", url: "http://www.debian.org/security/2007/dsa-1359", }, { name: "http://dovecot.org/doc/NEWS", refsource: "CONFIRM", url: "http://dovecot.org/doc/NEWS", }, { name: "[dovecot-cvs] 20070330 dovecot/src/lib-storage/index/mbox mbox-storage.c, 1.145.2.14, 1.145.2.15", refsource: "MLIST", url: "http://dovecot.org/list/dovecot-cvs/2007-March/008488.html", }, { name: "oval:org.mitre.oval:def:10995", refsource: "OVAL", url: "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10995", }, { name: "dovecot-mboxstorage-directory-traversal(34082)", refsource: "XF", url: "https://exchange.xforce.ibmcloud.com/vulnerabilities/34082", }, { name: "SUSE-SR:2007:008", refsource: "SUSE", url: "http://www.novell.com/linux/security/advisories/2007_8_sr.html", }, { name: "ADV-2007-1452", refsource: "VUPEN", url: "http://www.vupen.com/english/advisories/2007/1452", }, { name: "[dovecot-news] 20070330 Security hole #3: zlib plugin allows opening any gziped mboxes", refsource: "MLIST", url: "http://dovecot.org/list/dovecot-news/2007-March/000038.html", }, { name: "25072", refsource: "SECUNIA", url: "http://secunia.com/advisories/25072", }, { name: "20070418 rPSA-2007-0074-1 dovecot", refsource: "BUGTRAQ", url: "http://www.securityfocus.com/archive/1/466168/100/0/threaded", }, ], }, }, "nvd.nist.gov": { configurations: { CVE_data_version: "4.0", nodes: [ { children: [], cpe_match: [ { cpe23Uri: "cpe:2.3:a:dovecot:dovecot:1.0.beta4:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:dovecot:dovecot:1.0.beta5:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:dovecot:dovecot:1.0.rc11:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:dovecot:dovecot:1.0.rc12:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:dovecot:dovecot:1.0.rc2:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:dovecot:dovecot:1.0.rc20:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:dovecot:dovecot:1.0.rc27:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:dovecot:dovecot:1.0.rc28:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:dovecot:dovecot:1.0.rc9:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:dovecot:dovecot:1.0.beta2:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:dovecot:dovecot:1.0.beta3:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:dovecot:dovecot:1.0.rc1:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:dovecot:dovecot:1.0.rc10:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:dovecot:dovecot:1.0.rc18:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:dovecot:dovecot:1.0.rc19:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:dovecot:dovecot:1.0.rc25:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:dovecot:dovecot:1.0.rc26:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:dovecot:dovecot:1.0.rc7:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:dovecot:dovecot:1.0.rc8:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:dovecot:dovecot:1.0.beta6:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:dovecot:dovecot:1.0.beta7:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:dovecot:dovecot:1.0.rc13:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:dovecot:dovecot:1.0.rc14:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:dovecot:dovecot:1.0.rc15:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:dovecot:dovecot:1.0.rc21:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:dovecot:dovecot:1.0.rc22:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:dovecot:dovecot:1.0.rc3:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:dovecot:dovecot:1.0.rc4:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:dovecot:dovecot:1.0.beta1:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:dovecot:dovecot:1.0.beta8:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:dovecot:dovecot:1.0.beta9:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:dovecot:dovecot:1.0.rc16:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:dovecot:dovecot:1.0.rc17:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:dovecot:dovecot:1.0.rc23:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:dovecot:dovecot:1.0.rc24:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:dovecot:dovecot:1.0.rc5:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:dovecot:dovecot:1.0.rc6:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, ], operator: "OR", }, ], }, cve: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2007-2231", }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "en", value: "Directory traversal vulnerability in index/mbox/mbox-storage.c in Dovecot before 1.0.rc29, when using the zlib plugin, allows remote attackers to read arbitrary gzipped (.gz) mailboxes (mbox files) via a .. (dot dot) sequence in the mailbox name.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "en", value: "NVD-CWE-Other", }, ], }, ], }, references: { reference_data: [ { name: "[dovecot-cvs] 20070330 dovecot/src/lib-storage/index/mbox mbox-storage.c, 1.145.2.14, 1.145.2.15", refsource: "MLIST", tags: [], url: "http://dovecot.org/list/dovecot-cvs/2007-March/008488.html", }, { name: "[dovecot-news] 20070330 Security hole #3: zlib plugin allows opening any gziped mboxes", refsource: "MLIST", tags: [], url: "http://dovecot.org/list/dovecot-news/2007-March/000038.html", }, { name: "http://dovecot.org/doc/NEWS", refsource: "CONFIRM", tags: [], url: "http://dovecot.org/doc/NEWS", }, { name: "23552", refsource: "BID", tags: [], url: "http://www.securityfocus.com/bid/23552", }, { name: "SUSE-SR:2007:008", refsource: "SUSE", tags: [], url: "http://www.novell.com/linux/security/advisories/2007_8_sr.html", }, { name: "25072", refsource: "SECUNIA", tags: [], url: "http://secunia.com/advisories/25072", }, { name: "DSA-1359", refsource: "DEBIAN", tags: [], url: "http://www.debian.org/security/2007/dsa-1359", }, { name: "USN-487-1", refsource: "UBUNTU", tags: [], url: "http://www.ubuntu.com/usn/usn-487-1", }, { name: "30342", refsource: "SECUNIA", tags: [], url: "http://secunia.com/advisories/30342", }, { name: "RHSA-2008:0297", refsource: "REDHAT", tags: [], url: "http://www.redhat.com/support/errata/RHSA-2008-0297.html", }, { name: "ADV-2007-1452", refsource: "VUPEN", tags: [], url: "http://www.vupen.com/english/advisories/2007/1452", }, { name: "dovecot-mboxstorage-directory-traversal(34082)", refsource: "XF", tags: [], url: "https://exchange.xforce.ibmcloud.com/vulnerabilities/34082", }, { name: "oval:org.mitre.oval:def:10995", refsource: "OVAL", tags: [], url: "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10995", }, { name: "20070418 rPSA-2007-0074-1 dovecot", refsource: "BUGTRAQ", tags: [], url: "http://www.securityfocus.com/archive/1/466168/100/0/threaded", }, ], }, }, impact: { baseMetricV2: { cvssV2: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4.3, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:M/Au:N/C:P/I:N/A:N", version: "2.0", }, exploitabilityScore: 8.6, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, severity: "MEDIUM", userInteractionRequired: false, }, }, lastModifiedDate: "2018-10-16T16:42Z", publishedDate: "2007-04-25T15:19Z", }, }, }
ghsa-8qfr-2vxg-8g3g
Vulnerability from github
Published
2022-05-01 18:01
Modified
2022-05-01 18:01
Details
Directory traversal vulnerability in index/mbox/mbox-storage.c in Dovecot before 1.0.rc29, when using the zlib plugin, allows remote attackers to read arbitrary gzipped (.gz) mailboxes (mbox files) via a .. (dot dot) sequence in the mailbox name.
{ affected: [], aliases: [ "CVE-2007-2231", ], database_specific: { cwe_ids: [], github_reviewed: false, github_reviewed_at: null, nvd_published_at: "2007-04-25T15:19:00Z", severity: "MODERATE", }, details: "Directory traversal vulnerability in index/mbox/mbox-storage.c in Dovecot before 1.0.rc29, when using the zlib plugin, allows remote attackers to read arbitrary gzipped (.gz) mailboxes (mbox files) via a .. (dot dot) sequence in the mailbox name.", id: "GHSA-8qfr-2vxg-8g3g", modified: "2022-05-01T18:01:29Z", published: "2022-05-01T18:01:29Z", references: [ { type: "ADVISORY", url: "https://nvd.nist.gov/vuln/detail/CVE-2007-2231", }, { type: "WEB", url: "https://exchange.xforce.ibmcloud.com/vulnerabilities/34082", }, { type: "WEB", url: "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10995", }, { type: "WEB", url: "http://dovecot.org/doc/NEWS", }, { type: "WEB", url: "http://dovecot.org/list/dovecot-cvs/2007-March/008488.html", }, { type: "WEB", url: "http://dovecot.org/list/dovecot-news/2007-March/000038.html", }, { type: "WEB", url: "http://secunia.com/advisories/25072", }, { type: "WEB", url: "http://secunia.com/advisories/30342", }, { type: "WEB", url: "http://www.debian.org/security/2007/dsa-1359", }, { type: "WEB", url: "http://www.novell.com/linux/security/advisories/2007_8_sr.html", }, { type: "WEB", url: "http://www.redhat.com/support/errata/RHSA-2008-0297.html", }, { type: "WEB", url: "http://www.securityfocus.com/archive/1/466168/100/0/threaded", }, { type: "WEB", url: "http://www.securityfocus.com/bid/23552", }, { type: "WEB", url: "http://www.ubuntu.com/usn/usn-487-1", }, { type: "WEB", url: "http://www.vupen.com/english/advisories/2007/1452", }, ], schema_version: "1.4.0", severity: [], }
Log in or create an account to share your comment.
Security Advisory comment format.
This schema specifies the format of a comment related to a security advisory.
UUIDv4 of the comment
UUIDv4 of the Vulnerability-Lookup instance
When the comment was created originally
When the comment was last updated
Title of the comment
Description of the comment
The identifier of the vulnerability (CVE ID, GHSA-ID, PYSEC ID, etc.).
Loading…
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.