Vulnerability-Lookup

CVE-2008-1199 (GCVE-0-2008-1199)

Vulnerability from cvelistv5 – Published: 2008-03-06 21:00 – Updated: 2024-08-07 08:17

Summary

Dovecot before 1.0.11, when configured to use mail_extra_groups to allow Dovecot to create dotlocks in /var/mail, might allow local users to read sensitive mail files for other users, or modify files or directories that are writable by group, via a symlink attack.

Severity ?

No CVSS data available.

CWE

Assigner

mitre

References

URL

Tags

	http://security.gentoo.org/glsa/glsa-200803-25.xml	vendor-advisoryx_refsource_GENTOO
	https://oval.cisecurity.org/repository/search/def…	vdb-entrysignaturex_refsource_OVAL
	http://www.dovecot.org/list/dovecot-news/2008-Mar…	mailing-listx_refsource_MLIST
	http://secunia.com/advisories/29557	third-party-advisoryx_refsource_SECUNIA
	http://www.securityfocus.com/archive/1/489133/100…	mailing-listx_refsource_BUGTRAQ
	http://secunia.com/advisories/30342	third-party-advisoryx_refsource_SECUNIA
	http://www.redhat.com/support/errata/RHSA-2008-02…	vendor-advisoryx_refsource_REDHAT
	http://www.debian.org/security/2008/dsa-1516	vendor-advisoryx_refsource_DEBIAN
	https://usn.ubuntu.com/593-1/	vendor-advisoryx_refsource_UBUNTU
	https://www.redhat.com/archives/fedora-package-an…	vendor-advisoryx_refsource_FEDORA
	http://lists.opensuse.org/opensuse-security-annou…	vendor-advisoryx_refsource_SUSE
	http://www.securityfocus.com/bid/28092	vdb-entryx_refsource_BID
	http://secunia.com/advisories/29226	third-party-advisoryx_refsource_SECUNIA
	http://secunia.com/advisories/32151	third-party-advisoryx_refsource_SECUNIA
	http://secunia.com/advisories/29385	third-party-advisoryx_refsource_SECUNIA
	https://exchange.xforce.ibmcloud.com/vulnerabilit…	vdb-entryx_refsource_XF
	https://www.redhat.com/archives/fedora-package-an…	vendor-advisoryx_refsource_FEDORA
	http://secunia.com/advisories/29396	third-party-advisoryx_refsource_SECUNIA

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-07T08:17:33.897Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "GLSA-200803-25",
            "tags": [
              "vendor-advisory",
              "x_refsource_GENTOO",
              "x_transferred"
            ],
            "url": "http://security.gentoo.org/glsa/glsa-200803-25.xml"
          },
          {
            "name": "oval:org.mitre.oval:def:10739",
            "tags": [
              "vdb-entry",
              "signature",
              "x_refsource_OVAL",
              "x_transferred"
            ],
            "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10739"
          },
          {
            "name": "[Dovecot-news] 20080504 v1.0.11 released",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.dovecot.org/list/dovecot-news/2008-March/000061.html"
          },
          {
            "name": "29557",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/29557"
          },
          {
            "name": "20080304 Dovecot mail_extra_groups setting is often used insecurely",
            "tags": [
              "mailing-list",
              "x_refsource_BUGTRAQ",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/archive/1/489133/100/0/threaded"
          },
          {
            "name": "30342",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/30342"
          },
          {
            "name": "RHSA-2008:0297",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "http://www.redhat.com/support/errata/RHSA-2008-0297.html"
          },
          {
            "name": "DSA-1516",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "http://www.debian.org/security/2008/dsa-1516"
          },
          {
            "name": "USN-593-1",
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "https://usn.ubuntu.com/593-1/"
          },
          {
            "name": "FEDORA-2008-2475",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00381.html"
          },
          {
            "name": "SUSE-SR:2008:020",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2008-10/msg00004.html"
          },
          {
            "name": "28092",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/28092"
          },
          {
            "name": "29226",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/29226"
          },
          {
            "name": "32151",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/32151"
          },
          {
            "name": "29385",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/29385"
          },
          {
            "name": "dovecot-mailextragroups-unauth-access(41009)",
            "tags": [
              "vdb-entry",
              "x_refsource_XF",
              "x_transferred"
            ],
            "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/41009"
          },
          {
            "name": "FEDORA-2008-2464",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00358.html"
          },
          {
            "name": "29396",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/29396"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2008-03-04T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "Dovecot before 1.0.11, when configured to use mail_extra_groups to allow Dovecot to create dotlocks in /var/mail, might allow local users to read sensitive mail files for other users, or modify files or directories that are writable by group, via a symlink attack."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-10-11T19:57:01",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "name": "GLSA-200803-25",
          "tags": [
            "vendor-advisory",
            "x_refsource_GENTOO"
          ],
          "url": "http://security.gentoo.org/glsa/glsa-200803-25.xml"
        },
        {
          "name": "oval:org.mitre.oval:def:10739",
          "tags": [
            "vdb-entry",
            "signature",
            "x_refsource_OVAL"
          ],
          "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10739"
        },
        {
          "name": "[Dovecot-news] 20080504 v1.0.11 released",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.dovecot.org/list/dovecot-news/2008-March/000061.html"
        },
        {
          "name": "29557",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/29557"
        },
        {
          "name": "20080304 Dovecot mail_extra_groups setting is often used insecurely",
          "tags": [
            "mailing-list",
            "x_refsource_BUGTRAQ"
          ],
          "url": "http://www.securityfocus.com/archive/1/489133/100/0/threaded"
        },
        {
          "name": "30342",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/30342"
        },
        {
          "name": "RHSA-2008:0297",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "http://www.redhat.com/support/errata/RHSA-2008-0297.html"
        },
        {
          "name": "DSA-1516",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "http://www.debian.org/security/2008/dsa-1516"
        },
        {
          "name": "USN-593-1",
          "tags": [
            "vendor-advisory",
            "x_refsource_UBUNTU"
          ],
          "url": "https://usn.ubuntu.com/593-1/"
        },
        {
          "name": "FEDORA-2008-2475",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00381.html"
        },
        {
          "name": "SUSE-SR:2008:020",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2008-10/msg00004.html"
        },
        {
          "name": "28092",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/28092"
        },
        {
          "name": "29226",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/29226"
        },
        {
          "name": "32151",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/32151"
        },
        {
          "name": "29385",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/29385"
        },
        {
          "name": "dovecot-mailextragroups-unauth-access(41009)",
          "tags": [
            "vdb-entry",
            "x_refsource_XF"
          ],
          "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/41009"
        },
        {
          "name": "FEDORA-2008-2464",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00358.html"
        },
        {
          "name": "29396",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/29396"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2008-1199",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Dovecot before 1.0.11, when configured to use mail_extra_groups to allow Dovecot to create dotlocks in /var/mail, might allow local users to read sensitive mail files for other users, or modify files or directories that are writable by group, via a symlink attack."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "GLSA-200803-25",
              "refsource": "GENTOO",
              "url": "http://security.gentoo.org/glsa/glsa-200803-25.xml"
            },
            {
              "name": "oval:org.mitre.oval:def:10739",
              "refsource": "OVAL",
              "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10739"
            },
            {
              "name": "[Dovecot-news] 20080504 v1.0.11 released",
              "refsource": "MLIST",
              "url": "http://www.dovecot.org/list/dovecot-news/2008-March/000061.html"
            },
            {
              "name": "29557",
              "refsource": "SECUNIA",
              "url": "http://secunia.com/advisories/29557"
            },
            {
              "name": "20080304 Dovecot mail_extra_groups setting is often used insecurely",
              "refsource": "BUGTRAQ",
              "url": "http://www.securityfocus.com/archive/1/489133/100/0/threaded"
            },
            {
              "name": "30342",
              "refsource": "SECUNIA",
              "url": "http://secunia.com/advisories/30342"
            },
            {
              "name": "RHSA-2008:0297",
              "refsource": "REDHAT",
              "url": "http://www.redhat.com/support/errata/RHSA-2008-0297.html"
            },
            {
              "name": "DSA-1516",
              "refsource": "DEBIAN",
              "url": "http://www.debian.org/security/2008/dsa-1516"
            },
            {
              "name": "USN-593-1",
              "refsource": "UBUNTU",
              "url": "https://usn.ubuntu.com/593-1/"
            },
            {
              "name": "FEDORA-2008-2475",
              "refsource": "FEDORA",
              "url": "https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00381.html"
            },
            {
              "name": "SUSE-SR:2008:020",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-security-announce/2008-10/msg00004.html"
            },
            {
              "name": "28092",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/28092"
            },
            {
              "name": "29226",
              "refsource": "SECUNIA",
              "url": "http://secunia.com/advisories/29226"
            },
            {
              "name": "32151",
              "refsource": "SECUNIA",
              "url": "http://secunia.com/advisories/32151"
            },
            {
              "name": "29385",
              "refsource": "SECUNIA",
              "url": "http://secunia.com/advisories/29385"
            },
            {
              "name": "dovecot-mailextragroups-unauth-access(41009)",
              "refsource": "XF",
              "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/41009"
            },
            {
              "name": "FEDORA-2008-2464",
              "refsource": "FEDORA",
              "url": "https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00358.html"
            },
            {
              "name": "29396",
              "refsource": "SECUNIA",
              "url": "http://secunia.com/advisories/29396"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2008-1199",
    "datePublished": "2008-03-06T21:00:00",
    "dateReserved": "2008-03-06T00:00:00",
    "dateUpdated": "2024-08-07T08:17:33.897Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:dovecot:dovecot:0.99.13:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"D0616CCF-D278-4B6D-A58B-393BCA128CF1\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:dovecot:dovecot:0.99.14:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"D3C7BE64-7C1E-4043-A1C5-D0A7377C01A7\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:dovecot:dovecot:1.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"4240BD98-3C31-42CE-AF8F-045DD4BFC084\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:dovecot:dovecot:1.0.2:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"1C05ACA0-ED87-4DDF-94B6-8D25BE1790F1\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:dovecot:dovecot:1.0.3:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"8A8C0C4A-F9DB-4BB7-BFC5-BEC22C3FE40B\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:dovecot:dovecot:1.0.4:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"B7E00B56-A1E5-4261-8349-37654AA9FB64\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:dovecot:dovecot:1.0.5:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"E66427AA-A9D4-413F-8354-EA61407307C1\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:dovecot:dovecot:1.0.6:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"D74BE6C7-114D-4885-8472-FFE71C817B8A\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:dovecot:dovecot:1.0.7:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"4A349510-4D00-4978-93D9-3F9F5E0CD8DE\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:dovecot:dovecot:1.0.8:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"B65B9EFD-1531-463C-992E-F0F16AABF9C3\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:dovecot:dovecot:1.0.9:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"34BA7146-5793-44F4-9569-9D868FE6E325\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:dovecot:dovecot:1.0.10:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"B5078363-6B42-491B-A219-F8D8A86132BF\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:dovecot:dovecot:1.0.beta2:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"9D680474-C329-4DD0-B4EA-2406E27EC474\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:dovecot:dovecot:1.0.beta3:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"165A0D0B-C6B0-431F-BF36-223A27CD6A42\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:dovecot:dovecot:1.0.beta7:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"99268D48-CF82-450B-A033-D87AF4109531\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:dovecot:dovecot:1.0.beta8:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"B2E09737-8107-45C0-BFF1-FB4CF81564CD\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:dovecot:dovecot:1.0.rc1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"91E74D81-DF10-423A-8549-3BB5ED02B5A6\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:dovecot:dovecot:1.0.rc2:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"07D6853E-7E81-443D-8806-C8469217F55C\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:dovecot:dovecot:1.0.rc3:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"D1BE4B6A-47A2-457B-B6B8-8FE5C2026A11\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:dovecot:dovecot:1.0.rc4:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"7382F655-9B27-443D-9397-346FBEADEFDA\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:dovecot:dovecot:1.0.rc5:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"6F180045-A0DA-40A3-AD3E-F3402FB6456A\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:dovecot:dovecot:1.0.rc6:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"C1A2FFE7-D008-47B4-80E7-AEC176918E06\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:dovecot:dovecot:1.0.rc7:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"8C840337-7B31-476B-BBCD-65F4899925E6\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:dovecot:dovecot:1.0.rc8:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"545EF2F5-9BAE-4612-9958-70A5413818A6\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:dovecot:dovecot:1.0.rc9:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"E80096F8-46D9-42E3-8CDB-99ADA2CBD970\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:dovecot:dovecot:1.0.rc10:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"9E504866-3429-4A4C-8278-5C2753D356C7\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:dovecot:dovecot:1.0.rc11:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"30857130-636F-4719-9F1E-8F6369F40DAC\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:dovecot:dovecot:1.0.rc12:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"9843D7CE-4723-4200-AFD4-5B31545A287E\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:dovecot:dovecot:1.0.rc13:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"54AF1D92-D89B-4DE4-9D47-72466873A4C7\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:dovecot:dovecot:1.0.rc14:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"64A8FCA5-1666-48F7-9689-37D9315813F7\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:dovecot:dovecot:1.0.rc15:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"D4D517F3-F0A8-4362-89B9-0ED63515283F\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:dovecot:dovecot:1.0_rc29:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"3AAE9E7C-49CC-48C3-B47C-CDC5802356A7\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Dovecot before 1.0.11, when configured to use mail_extra_groups to allow Dovecot to create dotlocks in /var/mail, might allow local users to read sensitive mail files for other users, or modify files or directories that are writable by group, via a symlink attack.\"}, {\"lang\": \"es\", \"value\": \"Dovecot antes de 1.0.11, cuando se configura para utilizar mail_extra_groups para permitir a Dovecot crear dotlocks en /var/mail, podr\\u00eda permitir a usuarios locales leer archivos de mail sensibles para otros usuarios, o modificar archivos o directorios que sean escribibles por el grupo, a trav\\u00e9s de un ataque de enlaces simb\\u00f3licos.\"}]",
      "id": "CVE-2008-1199",
      "lastModified": "2024-11-21T00:43:55.700",
      "metrics": "{\"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:L/AC:M/Au:N/C:P/I:P/A:P\", \"baseScore\": 4.4, \"accessVector\": \"LOCAL\", \"accessComplexity\": \"MEDIUM\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 3.4, \"impactScore\": 6.4, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2008-03-06T21:44:00.000",
      "references": "[{\"url\": \"http://lists.opensuse.org/opensuse-security-announce/2008-10/msg00004.html\", \"source\": \"cve@mitre.org\"}, {\"url\": \"http://secunia.com/advisories/29226\", \"source\": \"cve@mitre.org\"}, {\"url\": \"http://secunia.com/advisories/29385\", \"source\": \"cve@mitre.org\"}, {\"url\": \"http://secunia.com/advisories/29396\", \"source\": \"cve@mitre.org\"}, {\"url\": \"http://secunia.com/advisories/29557\", \"source\": \"cve@mitre.org\"}, {\"url\": \"http://secunia.com/advisories/30342\", \"source\": \"cve@mitre.org\"}, {\"url\": \"http://secunia.com/advisories/32151\", \"source\": \"cve@mitre.org\"}, {\"url\": \"http://security.gentoo.org/glsa/glsa-200803-25.xml\", \"source\": \"cve@mitre.org\"}, {\"url\": \"http://www.debian.org/security/2008/dsa-1516\", \"source\": \"cve@mitre.org\"}, {\"url\": \"http://www.dovecot.org/list/dovecot-news/2008-March/000061.html\", \"source\": \"cve@mitre.org\", \"tags\": [\"Patch\"]}, {\"url\": \"http://www.redhat.com/support/errata/RHSA-2008-0297.html\", \"source\": \"cve@mitre.org\"}, {\"url\": \"http://www.securityfocus.com/archive/1/489133/100/0/threaded\", \"source\": \"cve@mitre.org\"}, {\"url\": \"http://www.securityfocus.com/bid/28092\", \"source\": \"cve@mitre.org\", \"tags\": [\"Patch\"]}, {\"url\": \"https://exchange.xforce.ibmcloud.com/vulnerabilities/41009\", \"source\": \"cve@mitre.org\"}, {\"url\": \"https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10739\", \"source\": \"cve@mitre.org\"}, {\"url\": \"https://usn.ubuntu.com/593-1/\", \"source\": \"cve@mitre.org\"}, {\"url\": \"https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00358.html\", \"source\": \"cve@mitre.org\"}, {\"url\": \"https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00381.html\", \"source\": \"cve@mitre.org\"}, {\"url\": \"http://lists.opensuse.org/opensuse-security-announce/2008-10/msg00004.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://secunia.com/advisories/29226\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://secunia.com/advisories/29385\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://secunia.com/advisories/29396\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://secunia.com/advisories/29557\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://secunia.com/advisories/30342\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://secunia.com/advisories/32151\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://security.gentoo.org/glsa/glsa-200803-25.xml\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www.debian.org/security/2008/dsa-1516\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www.dovecot.org/list/dovecot-news/2008-March/000061.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\"]}, {\"url\": \"http://www.redhat.com/support/errata/RHSA-2008-0297.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www.securityfocus.com/archive/1/489133/100/0/threaded\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www.securityfocus.com/bid/28092\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\"]}, {\"url\": \"https://exchange.xforce.ibmcloud.com/vulnerabilities/41009\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10739\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://usn.ubuntu.com/593-1/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00358.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00381.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
      "sourceIdentifier": "cve@mitre.org",
      "vendorComments": "[{\"organization\": \"Red Hat\", \"comment\": \"Red Hat is aware of this issue and is tracking it via the following bug:\\nhttps://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2008-1199\\n\\nThis issue does not affect the default configuration of Dovecot as shipped in Red Hat Enterprise Linux.\\n\\nThe Red Hat Security Response Team has rated this issue as having moderate security impact, a future update may address this flaw. \\n\\nAn update to Red Hat Enterprise Linux 5 was released to correct this issue:\\nhttps://rhn.redhat.com/errata/RHSA-2008-0297.html\\n\", \"lastModified\": \"2008-05-21T00:00:00\"}]",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-16\"}, {\"lang\": \"en\", \"value\": \"CWE-59\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2008-1199\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2008-03-06T21:44:00.000\",\"lastModified\":\"2025-04-09T00:30:58.490\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Dovecot before 1.0.11, when configured to use mail_extra_groups to allow Dovecot to create dotlocks in /var/mail, might allow local users to read sensitive mail files for other users, or modify files or directories that are writable by group, via a symlink attack.\"},{\"lang\":\"es\",\"value\":\"Dovecot antes de 1.0.11, cuando se configura para utilizar mail_extra_groups para permitir a Dovecot crear dotlocks en /var/mail, podr\u00eda permitir a usuarios locales leer archivos de mail sensibles para otros usuarios, o modificar archivos o directorios que sean escribibles por el grupo, a trav\u00e9s de un ataque de enlaces simb\u00f3licos.\"}],\"metrics\":{\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:L/AC:M/Au:N/C:P/I:P/A:P\",\"baseScore\":4.4,\"accessVector\":\"LOCAL\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":3.4,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-16\"},{\"lang\":\"en\",\"value\":\"CWE-59\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:dovecot:dovecot:0.99.13:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"D0616CCF-D278-4B6D-A58B-393BCA128CF1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:dovecot:dovecot:0.99.14:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"D3C7BE64-7C1E-4043-A1C5-D0A7377C01A7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:dovecot:dovecot:1.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"4240BD98-3C31-42CE-AF8F-045DD4BFC084\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:dovecot:dovecot:1.0.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"1C05ACA0-ED87-4DDF-94B6-8D25BE1790F1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:dovecot:dovecot:1.0.3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"8A8C0C4A-F9DB-4BB7-BFC5-BEC22C3FE40B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:dovecot:dovecot:1.0.4:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B7E00B56-A1E5-4261-8349-37654AA9FB64\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:dovecot:dovecot:1.0.5:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E66427AA-A9D4-413F-8354-EA61407307C1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:dovecot:dovecot:1.0.6:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"D74BE6C7-114D-4885-8472-FFE71C817B8A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:dovecot:dovecot:1.0.7:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"4A349510-4D00-4978-93D9-3F9F5E0CD8DE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:dovecot:dovecot:1.0.8:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B65B9EFD-1531-463C-992E-F0F16AABF9C3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:dovecot:dovecot:1.0.9:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"34BA7146-5793-44F4-9569-9D868FE6E325\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:dovecot:dovecot:1.0.10:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B5078363-6B42-491B-A219-F8D8A86132BF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:dovecot:dovecot:1.0.beta2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"9D680474-C329-4DD0-B4EA-2406E27EC474\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:dovecot:dovecot:1.0.beta3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"165A0D0B-C6B0-431F-BF36-223A27CD6A42\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:dovecot:dovecot:1.0.beta7:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"99268D48-CF82-450B-A033-D87AF4109531\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:dovecot:dovecot:1.0.beta8:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B2E09737-8107-45C0-BFF1-FB4CF81564CD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:dovecot:dovecot:1.0.rc1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"91E74D81-DF10-423A-8549-3BB5ED02B5A6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:dovecot:dovecot:1.0.rc2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"07D6853E-7E81-443D-8806-C8469217F55C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:dovecot:dovecot:1.0.rc3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"D1BE4B6A-47A2-457B-B6B8-8FE5C2026A11\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:dovecot:dovecot:1.0.rc4:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"7382F655-9B27-443D-9397-346FBEADEFDA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:dovecot:dovecot:1.0.rc5:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"6F180045-A0DA-40A3-AD3E-F3402FB6456A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:dovecot:dovecot:1.0.rc6:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C1A2FFE7-D008-47B4-80E7-AEC176918E06\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:dovecot:dovecot:1.0.rc7:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"8C840337-7B31-476B-BBCD-65F4899925E6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:dovecot:dovecot:1.0.rc8:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"545EF2F5-9BAE-4612-9958-70A5413818A6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:dovecot:dovecot:1.0.rc9:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E80096F8-46D9-42E3-8CDB-99ADA2CBD970\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:dovecot:dovecot:1.0.rc10:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"9E504866-3429-4A4C-8278-5C2753D356C7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:dovecot:dovecot:1.0.rc11:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"30857130-636F-4719-9F1E-8F6369F40DAC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:dovecot:dovecot:1.0.rc12:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"9843D7CE-4723-4200-AFD4-5B31545A287E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:dovecot:dovecot:1.0.rc13:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"54AF1D92-D89B-4DE4-9D47-72466873A4C7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:dovecot:dovecot:1.0.rc14:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"64A8FCA5-1666-48F7-9689-37D9315813F7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:dovecot:dovecot:1.0.rc15:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"D4D517F3-F0A8-4362-89B9-0ED63515283F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:dovecot:dovecot:1.0_rc29:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"3AAE9E7C-49CC-48C3-B47C-CDC5802356A7\"}]}]}],\"references\":[{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2008-10/msg00004.html\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://secunia.com/advisories/29226\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://secunia.com/advisories/29385\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://secunia.com/advisories/29396\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://secunia.com/advisories/29557\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://secunia.com/advisories/30342\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://secunia.com/advisories/32151\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://security.gentoo.org/glsa/glsa-200803-25.xml\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://www.debian.org/security/2008/dsa-1516\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://www.dovecot.org/list/dovecot-news/2008-March/000061.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"Patch\"]},{\"url\":\"http://www.redhat.com/support/errata/RHSA-2008-0297.html\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://www.securityfocus.com/archive/1/489133/100/0/threaded\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://www.securityfocus.com/bid/28092\",\"source\":\"cve@mitre.org\",\"tags\":[\"Patch\"]},{\"url\":\"https://exchange.xforce.ibmcloud.com/vulnerabilities/41009\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10739\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://usn.ubuntu.com/593-1/\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00358.html\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00381.html\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2008-10/msg00004.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://secunia.com/advisories/29226\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://secunia.com/advisories/29385\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://secunia.com/advisories/29396\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://secunia.com/advisories/29557\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://secunia.com/advisories/30342\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://secunia.com/advisories/32151\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://security.gentoo.org/glsa/glsa-200803-25.xml\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.debian.org/security/2008/dsa-1516\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.dovecot.org/list/dovecot-news/2008-March/000061.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"http://www.redhat.com/support/errata/RHSA-2008-0297.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.securityfocus.com/archive/1/489133/100/0/threaded\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.securityfocus.com/bid/28092\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://exchange.xforce.ibmcloud.com/vulnerabilities/41009\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10739\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://usn.ubuntu.com/593-1/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00358.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00381.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}],\"vendorComments\":[{\"organization\":\"Red Hat\",\"comment\":\"Red Hat is aware of this issue and is tracking it via the following bug:\\nhttps://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2008-1199\\n\\nThis issue does not affect the default configuration of Dovecot as shipped in Red Hat Enterprise Linux.\\n\\nThe Red Hat Security Response Team has rated this issue as having moderate security impact, a future update may address this flaw. \\n\\nAn update to Red Hat Enterprise Linux 5 was released to correct this issue:\\nhttps://rhn.redhat.com/errata/RHSA-2008-0297.html\\n\",\"lastModified\":\"2008-05-21T00:00:00\"}]}}"
  }
}

RHSA-2008_0297

Vulnerability from csaf_redhat - Published: 2008-05-20 14:28 - Updated: 2024-11-22 01:40

Summary

Red Hat Security Advisory: dovecot security and bug fix update

Notes

Topic

An updated dovecot package that fixes several security issues and various bugs is now available for Red Hat Enterprise Linux 5. This update has been rated as having low security impact by the Red Hat Security Response Team.

Details

Dovecot is an IMAP server for Linux and UNIX-like systems, primarily written with security in mind. A flaw was discovered in the way Dovecot handled the "mail_extra_groups" option. An authenticated attacker with local shell access could leverage this flaw to read, modify, or delete other users mail that is stored on the mail server. (CVE-2008-1199) This issue did not affect the default Red Hat Enterprise Linux 5 Dovecot configuration. This update adds two new configuration options -- "mail_privileged_group" and "mail_access_groups" -- to minimize the usage of additional privileges. A directory traversal flaw was discovered in Dovecot's zlib plug-in. An authenticated user could use this flaw to view other compressed mailboxes with the permissions of the Dovecot process. (CVE-2007-2231) A flaw was found in the Dovecot ACL plug-in. User with only insert permissions for a mailbox could use the "COPY" and "APPEND" commands to set additional message flags. (CVE-2007-4211) A flaw was found in a way Dovecot cached LDAP query results in certain configurations. This could possibly allow authenticated users to log in as a different user who has the same password. (CVE-2007-6598) As well, this updated package fixes the following bugs: * configuring "userdb" and "passdb" to use LDAP caused Dovecot to hang. A segmentation fault may have occurred. In this updated package, using an LDAP backend for "userdb" and "passdb" no longer causes Dovecot to hang. * the Dovecot "login_process_size" limit was configured for 32-bit systems. On 64-bit systems, when Dovecot was configured to use either IMAP or POP3, the log in processes crashed with out-of-memory errors. Errors such as the following were logged: pop3-login: pop3-login: error while loading shared libraries: libsepol.so.1: failed to map segment from shared object: Cannot allocate memory In this updated package, the "login_process_size" limit is correctly configured on 64-bit systems, which resolves this issue. Note: this updated package upgrades dovecot to version 1.0.7. For further details, refer to the Dovecot changelog: http://koji.fedoraproject.org/koji/buildinfo?buildID=23397 Users of dovecot are advised to upgrade to this updated package, which resolves these issues.

This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Low"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "An updated dovecot package that fixes several security issues and various\nbugs is now available for Red Hat Enterprise Linux 5.\n\nThis update has been rated as having low security impact by the Red Hat\nSecurity Response Team.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Dovecot is an IMAP server for Linux and UNIX-like systems, primarily\nwritten with security in mind.\n\nA flaw was discovered in the way Dovecot handled the \"mail_extra_groups\"\noption. An authenticated attacker with local shell access could leverage\nthis flaw to read, modify, or delete other users mail that is stored on\nthe mail server. (CVE-2008-1199)\n\nThis issue did not affect the default Red Hat Enterprise Linux 5 Dovecot\nconfiguration. This update adds two new configuration options --\n\"mail_privileged_group\" and \"mail_access_groups\" -- to minimize the usage\nof additional privileges.\n\nA directory traversal flaw was discovered in Dovecot\u0027s zlib plug-in. An\nauthenticated user could use this flaw to view other compressed mailboxes\nwith the permissions of the Dovecot process. (CVE-2007-2231)\n\nA flaw was found in the Dovecot ACL plug-in. User with only insert\npermissions for a mailbox could use the \"COPY\" and \"APPEND\" commands to set\nadditional message flags. (CVE-2007-4211)\n\nA flaw was found in a way Dovecot cached LDAP query results in certain\nconfigurations. This could possibly allow authenticated users to log in as\na different user who has the same password. (CVE-2007-6598)\n\nAs well, this updated package fixes the following bugs:\n\n* configuring \"userdb\" and \"passdb\" to use LDAP caused Dovecot to hang. A\nsegmentation fault may have occurred. In this updated package, using an\nLDAP backend for \"userdb\" and \"passdb\" no longer causes Dovecot to hang.\n\n* the Dovecot \"login_process_size\" limit was configured for 32-bit systems.\nOn 64-bit systems, when Dovecot was configured to use either IMAP or POP3,\nthe log in processes crashed with out-of-memory errors. Errors such as the\nfollowing were logged:\n\npop3-login: pop3-login: error while loading shared libraries:\nlibsepol.so.1: failed to map segment from shared object: Cannot allocate\nmemory\n\nIn this updated package, the \"login_process_size\" limit is correctly\nconfigured on 64-bit systems, which resolves this issue.\n\nNote: this updated package upgrades dovecot to version 1.0.7. For\nfurther details, refer to the Dovecot changelog:\nhttp://koji.fedoraproject.org/koji/buildinfo?buildID=23397\n\nUsers of dovecot are advised to upgrade to this updated package, which\nresolves these issues.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2008:0297",
        "url": "https://access.redhat.com/errata/RHSA-2008:0297"
      },
      {
        "category": "external",
        "summary": "http://www.redhat.com/security/updates/classification/#low",
        "url": "http://www.redhat.com/security/updates/classification/#low"
      },
      {
        "category": "external",
        "summary": "238439",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=238439"
      },
      {
        "category": "external",
        "summary": "245249",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=245249"
      },
      {
        "category": "external",
        "summary": "251007",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=251007"
      },
      {
        "category": "external",
        "summary": "253363",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=253363"
      },
      {
        "category": "external",
        "summary": "331441",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=331441"
      },
      {
        "category": "external",
        "summary": "380401",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=380401"
      },
      {
        "category": "external",
        "summary": "427575",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=427575"
      },
      {
        "category": "external",
        "summary": "436927",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=436927"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2008/rhsa-2008_0297.json"
      }
    ],
    "title": "Red Hat Security Advisory: dovecot security and bug fix update",
    "tracking": {
      "current_release_date": "2024-11-22T01:40:32+00:00",
      "generator": {
        "date": "2024-11-22T01:40:32+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.2.1"
        }
      },
      "id": "RHSA-2008:0297",
      "initial_release_date": "2008-05-20T14:28:00+00:00",
      "revision_history": [
        {
          "date": "2008-05-20T14:28:00+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2008-05-21T10:20:08+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2024-11-22T01:40:32+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat Enterprise Linux Desktop Workstation (v. 5 client)",
                "product": {
                  "name": "Red Hat Enterprise Linux Desktop Workstation (v. 5 client)",
                  "product_id": "5Client-Workstation",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:enterprise_linux:5::client_workstation"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Red Hat Enterprise Linux (v. 5 server)",
                "product": {
                  "name": "Red Hat Enterprise Linux (v. 5 server)",
                  "product_id": "5Server",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:enterprise_linux:5::server"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat Enterprise Linux"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "dovecot-0:1.0.7-2.el5.src",
                "product": {
                  "name": "dovecot-0:1.0.7-2.el5.src",
                  "product_id": "dovecot-0:1.0.7-2.el5.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/dovecot@1.0.7-2.el5?arch=src"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "src"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "dovecot-0:1.0.7-2.el5.x86_64",
                "product": {
                  "name": "dovecot-0:1.0.7-2.el5.x86_64",
                  "product_id": "dovecot-0:1.0.7-2.el5.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/dovecot@1.0.7-2.el5?arch=x86_64"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "dovecot-debuginfo-0:1.0.7-2.el5.x86_64",
                "product": {
                  "name": "dovecot-debuginfo-0:1.0.7-2.el5.x86_64",
                  "product_id": "dovecot-debuginfo-0:1.0.7-2.el5.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/dovecot-debuginfo@1.0.7-2.el5?arch=x86_64"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "dovecot-0:1.0.7-2.el5.i386",
                "product": {
                  "name": "dovecot-0:1.0.7-2.el5.i386",
                  "product_id": "dovecot-0:1.0.7-2.el5.i386",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/dovecot@1.0.7-2.el5?arch=i386"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "dovecot-debuginfo-0:1.0.7-2.el5.i386",
                "product": {
                  "name": "dovecot-debuginfo-0:1.0.7-2.el5.i386",
                  "product_id": "dovecot-debuginfo-0:1.0.7-2.el5.i386",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/dovecot-debuginfo@1.0.7-2.el5?arch=i386"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "i386"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "dovecot-0:1.0.7-2.el5.ia64",
                "product": {
                  "name": "dovecot-0:1.0.7-2.el5.ia64",
                  "product_id": "dovecot-0:1.0.7-2.el5.ia64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/dovecot@1.0.7-2.el5?arch=ia64"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "dovecot-debuginfo-0:1.0.7-2.el5.ia64",
                "product": {
                  "name": "dovecot-debuginfo-0:1.0.7-2.el5.ia64",
                  "product_id": "dovecot-debuginfo-0:1.0.7-2.el5.ia64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/dovecot-debuginfo@1.0.7-2.el5?arch=ia64"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "ia64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "dovecot-0:1.0.7-2.el5.ppc",
                "product": {
                  "name": "dovecot-0:1.0.7-2.el5.ppc",
                  "product_id": "dovecot-0:1.0.7-2.el5.ppc",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/dovecot@1.0.7-2.el5?arch=ppc"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "dovecot-debuginfo-0:1.0.7-2.el5.ppc",
                "product": {
                  "name": "dovecot-debuginfo-0:1.0.7-2.el5.ppc",
                  "product_id": "dovecot-debuginfo-0:1.0.7-2.el5.ppc",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/dovecot-debuginfo@1.0.7-2.el5?arch=ppc"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "ppc"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "dovecot-0:1.0.7-2.el5.s390x",
                "product": {
                  "name": "dovecot-0:1.0.7-2.el5.s390x",
                  "product_id": "dovecot-0:1.0.7-2.el5.s390x",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/dovecot@1.0.7-2.el5?arch=s390x"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "dovecot-debuginfo-0:1.0.7-2.el5.s390x",
                "product": {
                  "name": "dovecot-debuginfo-0:1.0.7-2.el5.s390x",
                  "product_id": "dovecot-debuginfo-0:1.0.7-2.el5.s390x",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/dovecot-debuginfo@1.0.7-2.el5?arch=s390x"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "dovecot-0:1.0.7-2.el5.i386 as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)",
          "product_id": "5Client-Workstation:dovecot-0:1.0.7-2.el5.i386"
        },
        "product_reference": "dovecot-0:1.0.7-2.el5.i386",
        "relates_to_product_reference": "5Client-Workstation"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "dovecot-0:1.0.7-2.el5.ia64 as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)",
          "product_id": "5Client-Workstation:dovecot-0:1.0.7-2.el5.ia64"
        },
        "product_reference": "dovecot-0:1.0.7-2.el5.ia64",
        "relates_to_product_reference": "5Client-Workstation"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "dovecot-0:1.0.7-2.el5.ppc as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)",
          "product_id": "5Client-Workstation:dovecot-0:1.0.7-2.el5.ppc"
        },
        "product_reference": "dovecot-0:1.0.7-2.el5.ppc",
        "relates_to_product_reference": "5Client-Workstation"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "dovecot-0:1.0.7-2.el5.s390x as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)",
          "product_id": "5Client-Workstation:dovecot-0:1.0.7-2.el5.s390x"
        },
        "product_reference": "dovecot-0:1.0.7-2.el5.s390x",
        "relates_to_product_reference": "5Client-Workstation"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "dovecot-0:1.0.7-2.el5.src as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)",
          "product_id": "5Client-Workstation:dovecot-0:1.0.7-2.el5.src"
        },
        "product_reference": "dovecot-0:1.0.7-2.el5.src",
        "relates_to_product_reference": "5Client-Workstation"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "dovecot-0:1.0.7-2.el5.x86_64 as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)",
          "product_id": "5Client-Workstation:dovecot-0:1.0.7-2.el5.x86_64"
        },
        "product_reference": "dovecot-0:1.0.7-2.el5.x86_64",
        "relates_to_product_reference": "5Client-Workstation"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "dovecot-debuginfo-0:1.0.7-2.el5.i386 as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)",
          "product_id": "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.i386"
        },
        "product_reference": "dovecot-debuginfo-0:1.0.7-2.el5.i386",
        "relates_to_product_reference": "5Client-Workstation"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "dovecot-debuginfo-0:1.0.7-2.el5.ia64 as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)",
          "product_id": "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.ia64"
        },
        "product_reference": "dovecot-debuginfo-0:1.0.7-2.el5.ia64",
        "relates_to_product_reference": "5Client-Workstation"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "dovecot-debuginfo-0:1.0.7-2.el5.ppc as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)",
          "product_id": "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.ppc"
        },
        "product_reference": "dovecot-debuginfo-0:1.0.7-2.el5.ppc",
        "relates_to_product_reference": "5Client-Workstation"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "dovecot-debuginfo-0:1.0.7-2.el5.s390x as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)",
          "product_id": "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.s390x"
        },
        "product_reference": "dovecot-debuginfo-0:1.0.7-2.el5.s390x",
        "relates_to_product_reference": "5Client-Workstation"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "dovecot-debuginfo-0:1.0.7-2.el5.x86_64 as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)",
          "product_id": "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.x86_64"
        },
        "product_reference": "dovecot-debuginfo-0:1.0.7-2.el5.x86_64",
        "relates_to_product_reference": "5Client-Workstation"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "dovecot-0:1.0.7-2.el5.i386 as a component of Red Hat Enterprise Linux (v. 5 server)",
          "product_id": "5Server:dovecot-0:1.0.7-2.el5.i386"
        },
        "product_reference": "dovecot-0:1.0.7-2.el5.i386",
        "relates_to_product_reference": "5Server"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "dovecot-0:1.0.7-2.el5.ia64 as a component of Red Hat Enterprise Linux (v. 5 server)",
          "product_id": "5Server:dovecot-0:1.0.7-2.el5.ia64"
        },
        "product_reference": "dovecot-0:1.0.7-2.el5.ia64",
        "relates_to_product_reference": "5Server"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "dovecot-0:1.0.7-2.el5.ppc as a component of Red Hat Enterprise Linux (v. 5 server)",
          "product_id": "5Server:dovecot-0:1.0.7-2.el5.ppc"
        },
        "product_reference": "dovecot-0:1.0.7-2.el5.ppc",
        "relates_to_product_reference": "5Server"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "dovecot-0:1.0.7-2.el5.s390x as a component of Red Hat Enterprise Linux (v. 5 server)",
          "product_id": "5Server:dovecot-0:1.0.7-2.el5.s390x"
        },
        "product_reference": "dovecot-0:1.0.7-2.el5.s390x",
        "relates_to_product_reference": "5Server"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "dovecot-0:1.0.7-2.el5.src as a component of Red Hat Enterprise Linux (v. 5 server)",
          "product_id": "5Server:dovecot-0:1.0.7-2.el5.src"
        },
        "product_reference": "dovecot-0:1.0.7-2.el5.src",
        "relates_to_product_reference": "5Server"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "dovecot-0:1.0.7-2.el5.x86_64 as a component of Red Hat Enterprise Linux (v. 5 server)",
          "product_id": "5Server:dovecot-0:1.0.7-2.el5.x86_64"
        },
        "product_reference": "dovecot-0:1.0.7-2.el5.x86_64",
        "relates_to_product_reference": "5Server"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "dovecot-debuginfo-0:1.0.7-2.el5.i386 as a component of Red Hat Enterprise Linux (v. 5 server)",
          "product_id": "5Server:dovecot-debuginfo-0:1.0.7-2.el5.i386"
        },
        "product_reference": "dovecot-debuginfo-0:1.0.7-2.el5.i386",
        "relates_to_product_reference": "5Server"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "dovecot-debuginfo-0:1.0.7-2.el5.ia64 as a component of Red Hat Enterprise Linux (v. 5 server)",
          "product_id": "5Server:dovecot-debuginfo-0:1.0.7-2.el5.ia64"
        },
        "product_reference": "dovecot-debuginfo-0:1.0.7-2.el5.ia64",
        "relates_to_product_reference": "5Server"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "dovecot-debuginfo-0:1.0.7-2.el5.ppc as a component of Red Hat Enterprise Linux (v. 5 server)",
          "product_id": "5Server:dovecot-debuginfo-0:1.0.7-2.el5.ppc"
        },
        "product_reference": "dovecot-debuginfo-0:1.0.7-2.el5.ppc",
        "relates_to_product_reference": "5Server"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "dovecot-debuginfo-0:1.0.7-2.el5.s390x as a component of Red Hat Enterprise Linux (v. 5 server)",
          "product_id": "5Server:dovecot-debuginfo-0:1.0.7-2.el5.s390x"
        },
        "product_reference": "dovecot-debuginfo-0:1.0.7-2.el5.s390x",
        "relates_to_product_reference": "5Server"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "dovecot-debuginfo-0:1.0.7-2.el5.x86_64 as a component of Red Hat Enterprise Linux (v. 5 server)",
          "product_id": "5Server:dovecot-debuginfo-0:1.0.7-2.el5.x86_64"
        },
        "product_reference": "dovecot-debuginfo-0:1.0.7-2.el5.x86_64",
        "relates_to_product_reference": "5Server"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2007-2231",
      "discovery_date": "2007-04-25T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "238439"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "Directory traversal vulnerability in index/mbox/mbox-storage.c in Dovecot before 1.0.rc29, when using the zlib plugin, allows remote attackers to read arbitrary gzipped (.gz) mailboxes (mbox files) via a .. (dot dot) sequence in the mailbox name.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "Directory traversal in dovecot with zlib plugin",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This issue did not affect Red Hat Enterprise Linux prior to version 5.",
          "title": "Statement"
        }
      ],
      "product_status": {
        "fixed": [
          "5Client-Workstation:dovecot-0:1.0.7-2.el5.i386",
          "5Client-Workstation:dovecot-0:1.0.7-2.el5.ia64",
          "5Client-Workstation:dovecot-0:1.0.7-2.el5.ppc",
          "5Client-Workstation:dovecot-0:1.0.7-2.el5.s390x",
          "5Client-Workstation:dovecot-0:1.0.7-2.el5.src",
          "5Client-Workstation:dovecot-0:1.0.7-2.el5.x86_64",
          "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.i386",
          "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.ia64",
          "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.ppc",
          "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.s390x",
          "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.x86_64",
          "5Server:dovecot-0:1.0.7-2.el5.i386",
          "5Server:dovecot-0:1.0.7-2.el5.ia64",
          "5Server:dovecot-0:1.0.7-2.el5.ppc",
          "5Server:dovecot-0:1.0.7-2.el5.s390x",
          "5Server:dovecot-0:1.0.7-2.el5.src",
          "5Server:dovecot-0:1.0.7-2.el5.x86_64",
          "5Server:dovecot-debuginfo-0:1.0.7-2.el5.i386",
          "5Server:dovecot-debuginfo-0:1.0.7-2.el5.ia64",
          "5Server:dovecot-debuginfo-0:1.0.7-2.el5.ppc",
          "5Server:dovecot-debuginfo-0:1.0.7-2.el5.s390x",
          "5Server:dovecot-debuginfo-0:1.0.7-2.el5.x86_64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2007-2231"
        },
        {
          "category": "external",
          "summary": "RHBZ#238439",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=238439"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2007-2231",
          "url": "https://www.cve.org/CVERecord?id=CVE-2007-2231"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2007-2231",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2007-2231"
        }
      ],
      "release_date": "2007-03-28T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2008-05-20T14:28:00+00:00",
          "details": "Before applying this update, make sure that all previously-released\nerrata relevant to your system have been applied.  \n\nThis update is available via Red Hat Network.  Details on how to use \nthe Red Hat Network to apply this update are available at\nhttp://kbase.redhat.com/faq/FAQ_58_10188",
          "product_ids": [
            "5Client-Workstation:dovecot-0:1.0.7-2.el5.i386",
            "5Client-Workstation:dovecot-0:1.0.7-2.el5.ia64",
            "5Client-Workstation:dovecot-0:1.0.7-2.el5.ppc",
            "5Client-Workstation:dovecot-0:1.0.7-2.el5.s390x",
            "5Client-Workstation:dovecot-0:1.0.7-2.el5.src",
            "5Client-Workstation:dovecot-0:1.0.7-2.el5.x86_64",
            "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.i386",
            "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.ia64",
            "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.ppc",
            "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.s390x",
            "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.x86_64",
            "5Server:dovecot-0:1.0.7-2.el5.i386",
            "5Server:dovecot-0:1.0.7-2.el5.ia64",
            "5Server:dovecot-0:1.0.7-2.el5.ppc",
            "5Server:dovecot-0:1.0.7-2.el5.s390x",
            "5Server:dovecot-0:1.0.7-2.el5.src",
            "5Server:dovecot-0:1.0.7-2.el5.x86_64",
            "5Server:dovecot-debuginfo-0:1.0.7-2.el5.i386",
            "5Server:dovecot-debuginfo-0:1.0.7-2.el5.ia64",
            "5Server:dovecot-debuginfo-0:1.0.7-2.el5.ppc",
            "5Server:dovecot-debuginfo-0:1.0.7-2.el5.s390x",
            "5Server:dovecot-debuginfo-0:1.0.7-2.el5.x86_64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2008:0297"
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Low"
        }
      ],
      "title": "Directory traversal in dovecot with zlib plugin"
    },
    {
      "cve": "CVE-2007-4211",
      "discovery_date": "2007-08-03T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "251007"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "The ACL plugin in Dovecot before 1.0.3 allows remote authenticated users with the insert right to save certain flags via a (1) COPY or (2) APPEND command.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "Dovecot possible privilege ascalation in ACL plugin",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "These issues did not affect the dovecot versions as shipped with Red Hat Enterprise Linux 2.1, 3, or 4.",
          "title": "Statement"
        }
      ],
      "product_status": {
        "fixed": [
          "5Client-Workstation:dovecot-0:1.0.7-2.el5.i386",
          "5Client-Workstation:dovecot-0:1.0.7-2.el5.ia64",
          "5Client-Workstation:dovecot-0:1.0.7-2.el5.ppc",
          "5Client-Workstation:dovecot-0:1.0.7-2.el5.s390x",
          "5Client-Workstation:dovecot-0:1.0.7-2.el5.src",
          "5Client-Workstation:dovecot-0:1.0.7-2.el5.x86_64",
          "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.i386",
          "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.ia64",
          "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.ppc",
          "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.s390x",
          "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.x86_64",
          "5Server:dovecot-0:1.0.7-2.el5.i386",
          "5Server:dovecot-0:1.0.7-2.el5.ia64",
          "5Server:dovecot-0:1.0.7-2.el5.ppc",
          "5Server:dovecot-0:1.0.7-2.el5.s390x",
          "5Server:dovecot-0:1.0.7-2.el5.src",
          "5Server:dovecot-0:1.0.7-2.el5.x86_64",
          "5Server:dovecot-debuginfo-0:1.0.7-2.el5.i386",
          "5Server:dovecot-debuginfo-0:1.0.7-2.el5.ia64",
          "5Server:dovecot-debuginfo-0:1.0.7-2.el5.ppc",
          "5Server:dovecot-debuginfo-0:1.0.7-2.el5.s390x",
          "5Server:dovecot-debuginfo-0:1.0.7-2.el5.x86_64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2007-4211"
        },
        {
          "category": "external",
          "summary": "RHBZ#251007",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=251007"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2007-4211",
          "url": "https://www.cve.org/CVERecord?id=CVE-2007-4211"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2007-4211",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2007-4211"
        }
      ],
      "release_date": "2007-08-01T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2008-05-20T14:28:00+00:00",
          "details": "Before applying this update, make sure that all previously-released\nerrata relevant to your system have been applied.  \n\nThis update is available via Red Hat Network.  Details on how to use \nthe Red Hat Network to apply this update are available at\nhttp://kbase.redhat.com/faq/FAQ_58_10188",
          "product_ids": [
            "5Client-Workstation:dovecot-0:1.0.7-2.el5.i386",
            "5Client-Workstation:dovecot-0:1.0.7-2.el5.ia64",
            "5Client-Workstation:dovecot-0:1.0.7-2.el5.ppc",
            "5Client-Workstation:dovecot-0:1.0.7-2.el5.s390x",
            "5Client-Workstation:dovecot-0:1.0.7-2.el5.src",
            "5Client-Workstation:dovecot-0:1.0.7-2.el5.x86_64",
            "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.i386",
            "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.ia64",
            "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.ppc",
            "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.s390x",
            "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.x86_64",
            "5Server:dovecot-0:1.0.7-2.el5.i386",
            "5Server:dovecot-0:1.0.7-2.el5.ia64",
            "5Server:dovecot-0:1.0.7-2.el5.ppc",
            "5Server:dovecot-0:1.0.7-2.el5.s390x",
            "5Server:dovecot-0:1.0.7-2.el5.src",
            "5Server:dovecot-0:1.0.7-2.el5.x86_64",
            "5Server:dovecot-debuginfo-0:1.0.7-2.el5.i386",
            "5Server:dovecot-debuginfo-0:1.0.7-2.el5.ia64",
            "5Server:dovecot-debuginfo-0:1.0.7-2.el5.ppc",
            "5Server:dovecot-debuginfo-0:1.0.7-2.el5.s390x",
            "5Server:dovecot-debuginfo-0:1.0.7-2.el5.x86_64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2008:0297"
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Low"
        }
      ],
      "title": "Dovecot possible privilege ascalation in ACL plugin"
    },
    {
      "cve": "CVE-2007-6598",
      "discovery_date": "2007-12-29T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "427575"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "Dovecot before 1.0.10, with certain configuration options including use of %variables, does not properly maintain the LDAP+auth cache, which might allow remote authenticated users to login as a different user who has the same password.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "dovecot LDAP+auth cache user login mixup",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This issue did not affect versions of Dovecot as shipped with Red Hat Enterprise Linux before version 5.",
          "title": "Statement"
        }
      ],
      "product_status": {
        "fixed": [
          "5Client-Workstation:dovecot-0:1.0.7-2.el5.i386",
          "5Client-Workstation:dovecot-0:1.0.7-2.el5.ia64",
          "5Client-Workstation:dovecot-0:1.0.7-2.el5.ppc",
          "5Client-Workstation:dovecot-0:1.0.7-2.el5.s390x",
          "5Client-Workstation:dovecot-0:1.0.7-2.el5.src",
          "5Client-Workstation:dovecot-0:1.0.7-2.el5.x86_64",
          "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.i386",
          "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.ia64",
          "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.ppc",
          "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.s390x",
          "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.x86_64",
          "5Server:dovecot-0:1.0.7-2.el5.i386",
          "5Server:dovecot-0:1.0.7-2.el5.ia64",
          "5Server:dovecot-0:1.0.7-2.el5.ppc",
          "5Server:dovecot-0:1.0.7-2.el5.s390x",
          "5Server:dovecot-0:1.0.7-2.el5.src",
          "5Server:dovecot-0:1.0.7-2.el5.x86_64",
          "5Server:dovecot-debuginfo-0:1.0.7-2.el5.i386",
          "5Server:dovecot-debuginfo-0:1.0.7-2.el5.ia64",
          "5Server:dovecot-debuginfo-0:1.0.7-2.el5.ppc",
          "5Server:dovecot-debuginfo-0:1.0.7-2.el5.s390x",
          "5Server:dovecot-debuginfo-0:1.0.7-2.el5.x86_64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2007-6598"
        },
        {
          "category": "external",
          "summary": "RHBZ#427575",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=427575"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2007-6598",
          "url": "https://www.cve.org/CVERecord?id=CVE-2007-6598"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2007-6598",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2007-6598"
        }
      ],
      "release_date": "2007-12-29T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2008-05-20T14:28:00+00:00",
          "details": "Before applying this update, make sure that all previously-released\nerrata relevant to your system have been applied.  \n\nThis update is available via Red Hat Network.  Details on how to use \nthe Red Hat Network to apply this update are available at\nhttp://kbase.redhat.com/faq/FAQ_58_10188",
          "product_ids": [
            "5Client-Workstation:dovecot-0:1.0.7-2.el5.i386",
            "5Client-Workstation:dovecot-0:1.0.7-2.el5.ia64",
            "5Client-Workstation:dovecot-0:1.0.7-2.el5.ppc",
            "5Client-Workstation:dovecot-0:1.0.7-2.el5.s390x",
            "5Client-Workstation:dovecot-0:1.0.7-2.el5.src",
            "5Client-Workstation:dovecot-0:1.0.7-2.el5.x86_64",
            "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.i386",
            "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.ia64",
            "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.ppc",
            "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.s390x",
            "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.x86_64",
            "5Server:dovecot-0:1.0.7-2.el5.i386",
            "5Server:dovecot-0:1.0.7-2.el5.ia64",
            "5Server:dovecot-0:1.0.7-2.el5.ppc",
            "5Server:dovecot-0:1.0.7-2.el5.s390x",
            "5Server:dovecot-0:1.0.7-2.el5.src",
            "5Server:dovecot-0:1.0.7-2.el5.x86_64",
            "5Server:dovecot-debuginfo-0:1.0.7-2.el5.i386",
            "5Server:dovecot-debuginfo-0:1.0.7-2.el5.ia64",
            "5Server:dovecot-debuginfo-0:1.0.7-2.el5.ppc",
            "5Server:dovecot-debuginfo-0:1.0.7-2.el5.s390x",
            "5Server:dovecot-debuginfo-0:1.0.7-2.el5.x86_64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2008:0297"
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Low"
        }
      ],
      "title": "dovecot LDAP+auth cache user login mixup"
    },
    {
      "cve": "CVE-2008-1199",
      "discovery_date": "2008-03-01T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "436927"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "Dovecot before 1.0.11, when configured to use mail_extra_groups to allow Dovecot to create dotlocks in /var/mail, might allow local users to read sensitive mail files for other users, or modify files or directories that are writable by group, via a symlink attack.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "dovecot: insecure mail_extra_groups option",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This issue does not affect the default configuration of Dovecot as shipped in Red Hat Enterprise Linux.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "5Client-Workstation:dovecot-0:1.0.7-2.el5.i386",
          "5Client-Workstation:dovecot-0:1.0.7-2.el5.ia64",
          "5Client-Workstation:dovecot-0:1.0.7-2.el5.ppc",
          "5Client-Workstation:dovecot-0:1.0.7-2.el5.s390x",
          "5Client-Workstation:dovecot-0:1.0.7-2.el5.src",
          "5Client-Workstation:dovecot-0:1.0.7-2.el5.x86_64",
          "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.i386",
          "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.ia64",
          "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.ppc",
          "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.s390x",
          "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.x86_64",
          "5Server:dovecot-0:1.0.7-2.el5.i386",
          "5Server:dovecot-0:1.0.7-2.el5.ia64",
          "5Server:dovecot-0:1.0.7-2.el5.ppc",
          "5Server:dovecot-0:1.0.7-2.el5.s390x",
          "5Server:dovecot-0:1.0.7-2.el5.src",
          "5Server:dovecot-0:1.0.7-2.el5.x86_64",
          "5Server:dovecot-debuginfo-0:1.0.7-2.el5.i386",
          "5Server:dovecot-debuginfo-0:1.0.7-2.el5.ia64",
          "5Server:dovecot-debuginfo-0:1.0.7-2.el5.ppc",
          "5Server:dovecot-debuginfo-0:1.0.7-2.el5.s390x",
          "5Server:dovecot-debuginfo-0:1.0.7-2.el5.x86_64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2008-1199"
        },
        {
          "category": "external",
          "summary": "RHBZ#436927",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=436927"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2008-1199",
          "url": "https://www.cve.org/CVERecord?id=CVE-2008-1199"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2008-1199",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2008-1199"
        }
      ],
      "release_date": "2008-03-04T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2008-05-20T14:28:00+00:00",
          "details": "Before applying this update, make sure that all previously-released\nerrata relevant to your system have been applied.  \n\nThis update is available via Red Hat Network.  Details on how to use \nthe Red Hat Network to apply this update are available at\nhttp://kbase.redhat.com/faq/FAQ_58_10188",
          "product_ids": [
            "5Client-Workstation:dovecot-0:1.0.7-2.el5.i386",
            "5Client-Workstation:dovecot-0:1.0.7-2.el5.ia64",
            "5Client-Workstation:dovecot-0:1.0.7-2.el5.ppc",
            "5Client-Workstation:dovecot-0:1.0.7-2.el5.s390x",
            "5Client-Workstation:dovecot-0:1.0.7-2.el5.src",
            "5Client-Workstation:dovecot-0:1.0.7-2.el5.x86_64",
            "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.i386",
            "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.ia64",
            "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.ppc",
            "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.s390x",
            "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.x86_64",
            "5Server:dovecot-0:1.0.7-2.el5.i386",
            "5Server:dovecot-0:1.0.7-2.el5.ia64",
            "5Server:dovecot-0:1.0.7-2.el5.ppc",
            "5Server:dovecot-0:1.0.7-2.el5.s390x",
            "5Server:dovecot-0:1.0.7-2.el5.src",
            "5Server:dovecot-0:1.0.7-2.el5.x86_64",
            "5Server:dovecot-debuginfo-0:1.0.7-2.el5.i386",
            "5Server:dovecot-debuginfo-0:1.0.7-2.el5.ia64",
            "5Server:dovecot-debuginfo-0:1.0.7-2.el5.ppc",
            "5Server:dovecot-debuginfo-0:1.0.7-2.el5.s390x",
            "5Server:dovecot-debuginfo-0:1.0.7-2.el5.x86_64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2008:0297"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "HIGH",
            "accessVector": "LOCAL",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 3.7,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:L/AC:H/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          "products": [
            "5Client-Workstation:dovecot-0:1.0.7-2.el5.i386",
            "5Client-Workstation:dovecot-0:1.0.7-2.el5.ia64",
            "5Client-Workstation:dovecot-0:1.0.7-2.el5.ppc",
            "5Client-Workstation:dovecot-0:1.0.7-2.el5.s390x",
            "5Client-Workstation:dovecot-0:1.0.7-2.el5.src",
            "5Client-Workstation:dovecot-0:1.0.7-2.el5.x86_64",
            "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.i386",
            "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.ia64",
            "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.ppc",
            "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.s390x",
            "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.x86_64",
            "5Server:dovecot-0:1.0.7-2.el5.i386",
            "5Server:dovecot-0:1.0.7-2.el5.ia64",
            "5Server:dovecot-0:1.0.7-2.el5.ppc",
            "5Server:dovecot-0:1.0.7-2.el5.s390x",
            "5Server:dovecot-0:1.0.7-2.el5.src",
            "5Server:dovecot-0:1.0.7-2.el5.x86_64",
            "5Server:dovecot-debuginfo-0:1.0.7-2.el5.i386",
            "5Server:dovecot-debuginfo-0:1.0.7-2.el5.ia64",
            "5Server:dovecot-debuginfo-0:1.0.7-2.el5.ppc",
            "5Server:dovecot-debuginfo-0:1.0.7-2.el5.s390x",
            "5Server:dovecot-debuginfo-0:1.0.7-2.el5.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Low"
        }
      ],
      "title": "dovecot: insecure mail_extra_groups option"
    }
  ]
}

RHSA-2008:0297

Vulnerability from csaf_redhat - Published: 2008-05-20 14:28 - Updated: 2026-01-08 09:21

Summary

Red Hat Security Advisory: dovecot security and bug fix update

Notes

Topic

Details

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Low"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "An updated dovecot package that fixes several security issues and various\nbugs is now available for Red Hat Enterprise Linux 5.\n\nThis update has been rated as having low security impact by the Red Hat\nSecurity Response Team.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Dovecot is an IMAP server for Linux and UNIX-like systems, primarily\nwritten with security in mind.\n\nA flaw was discovered in the way Dovecot handled the \"mail_extra_groups\"\noption. An authenticated attacker with local shell access could leverage\nthis flaw to read, modify, or delete other users mail that is stored on\nthe mail server. (CVE-2008-1199)\n\nThis issue did not affect the default Red Hat Enterprise Linux 5 Dovecot\nconfiguration. This update adds two new configuration options --\n\"mail_privileged_group\" and \"mail_access_groups\" -- to minimize the usage\nof additional privileges.\n\nA directory traversal flaw was discovered in Dovecot\u0027s zlib plug-in. An\nauthenticated user could use this flaw to view other compressed mailboxes\nwith the permissions of the Dovecot process. (CVE-2007-2231)\n\nA flaw was found in the Dovecot ACL plug-in. User with only insert\npermissions for a mailbox could use the \"COPY\" and \"APPEND\" commands to set\nadditional message flags. (CVE-2007-4211)\n\nA flaw was found in a way Dovecot cached LDAP query results in certain\nconfigurations. This could possibly allow authenticated users to log in as\na different user who has the same password. (CVE-2007-6598)\n\nAs well, this updated package fixes the following bugs:\n\n* configuring \"userdb\" and \"passdb\" to use LDAP caused Dovecot to hang. A\nsegmentation fault may have occurred. In this updated package, using an\nLDAP backend for \"userdb\" and \"passdb\" no longer causes Dovecot to hang.\n\n* the Dovecot \"login_process_size\" limit was configured for 32-bit systems.\nOn 64-bit systems, when Dovecot was configured to use either IMAP or POP3,\nthe log in processes crashed with out-of-memory errors. Errors such as the\nfollowing were logged:\n\npop3-login: pop3-login: error while loading shared libraries:\nlibsepol.so.1: failed to map segment from shared object: Cannot allocate\nmemory\n\nIn this updated package, the \"login_process_size\" limit is correctly\nconfigured on 64-bit systems, which resolves this issue.\n\nNote: this updated package upgrades dovecot to version 1.0.7. For\nfurther details, refer to the Dovecot changelog:\nhttp://koji.fedoraproject.org/koji/buildinfo?buildID=23397\n\nUsers of dovecot are advised to upgrade to this updated package, which\nresolves these issues.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2008:0297",
        "url": "https://access.redhat.com/errata/RHSA-2008:0297"
      },
      {
        "category": "external",
        "summary": "http://www.redhat.com/security/updates/classification/#low",
        "url": "http://www.redhat.com/security/updates/classification/#low"
      },
      {
        "category": "external",
        "summary": "238439",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=238439"
      },
      {
        "category": "external",
        "summary": "245249",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=245249"
      },
      {
        "category": "external",
        "summary": "251007",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=251007"
      },
      {
        "category": "external",
        "summary": "253363",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=253363"
      },
      {
        "category": "external",
        "summary": "331441",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=331441"
      },
      {
        "category": "external",
        "summary": "380401",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=380401"
      },
      {
        "category": "external",
        "summary": "427575",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=427575"
      },
      {
        "category": "external",
        "summary": "436927",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=436927"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2008/rhsa-2008_0297.json"
      }
    ],
    "title": "Red Hat Security Advisory: dovecot security and bug fix update",
    "tracking": {
      "current_release_date": "2026-01-08T09:21:04+00:00",
      "generator": {
        "date": "2026-01-08T09:21:04+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.6.14"
        }
      },
      "id": "RHSA-2008:0297",
      "initial_release_date": "2008-05-20T14:28:00+00:00",
      "revision_history": [
        {
          "date": "2008-05-20T14:28:00+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2008-05-21T10:20:08+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2026-01-08T09:21:04+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat Enterprise Linux Desktop Workstation (v. 5 client)",
                "product": {
                  "name": "Red Hat Enterprise Linux Desktop Workstation (v. 5 client)",
                  "product_id": "5Client-Workstation",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:enterprise_linux:5::client_workstation"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Red Hat Enterprise Linux (v. 5 server)",
                "product": {
                  "name": "Red Hat Enterprise Linux (v. 5 server)",
                  "product_id": "5Server",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:enterprise_linux:5::server"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat Enterprise Linux"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "dovecot-0:1.0.7-2.el5.src",
                "product": {
                  "name": "dovecot-0:1.0.7-2.el5.src",
                  "product_id": "dovecot-0:1.0.7-2.el5.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/dovecot@1.0.7-2.el5?arch=src"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "src"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "dovecot-0:1.0.7-2.el5.x86_64",
                "product": {
                  "name": "dovecot-0:1.0.7-2.el5.x86_64",
                  "product_id": "dovecot-0:1.0.7-2.el5.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/dovecot@1.0.7-2.el5?arch=x86_64"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "dovecot-debuginfo-0:1.0.7-2.el5.x86_64",
                "product": {
                  "name": "dovecot-debuginfo-0:1.0.7-2.el5.x86_64",
                  "product_id": "dovecot-debuginfo-0:1.0.7-2.el5.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/dovecot-debuginfo@1.0.7-2.el5?arch=x86_64"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "dovecot-0:1.0.7-2.el5.i386",
                "product": {
                  "name": "dovecot-0:1.0.7-2.el5.i386",
                  "product_id": "dovecot-0:1.0.7-2.el5.i386",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/dovecot@1.0.7-2.el5?arch=i386"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "dovecot-debuginfo-0:1.0.7-2.el5.i386",
                "product": {
                  "name": "dovecot-debuginfo-0:1.0.7-2.el5.i386",
                  "product_id": "dovecot-debuginfo-0:1.0.7-2.el5.i386",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/dovecot-debuginfo@1.0.7-2.el5?arch=i386"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "i386"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "dovecot-0:1.0.7-2.el5.ia64",
                "product": {
                  "name": "dovecot-0:1.0.7-2.el5.ia64",
                  "product_id": "dovecot-0:1.0.7-2.el5.ia64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/dovecot@1.0.7-2.el5?arch=ia64"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "dovecot-debuginfo-0:1.0.7-2.el5.ia64",
                "product": {
                  "name": "dovecot-debuginfo-0:1.0.7-2.el5.ia64",
                  "product_id": "dovecot-debuginfo-0:1.0.7-2.el5.ia64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/dovecot-debuginfo@1.0.7-2.el5?arch=ia64"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "ia64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "dovecot-0:1.0.7-2.el5.ppc",
                "product": {
                  "name": "dovecot-0:1.0.7-2.el5.ppc",
                  "product_id": "dovecot-0:1.0.7-2.el5.ppc",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/dovecot@1.0.7-2.el5?arch=ppc"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "dovecot-debuginfo-0:1.0.7-2.el5.ppc",
                "product": {
                  "name": "dovecot-debuginfo-0:1.0.7-2.el5.ppc",
                  "product_id": "dovecot-debuginfo-0:1.0.7-2.el5.ppc",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/dovecot-debuginfo@1.0.7-2.el5?arch=ppc"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "ppc"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "dovecot-0:1.0.7-2.el5.s390x",
                "product": {
                  "name": "dovecot-0:1.0.7-2.el5.s390x",
                  "product_id": "dovecot-0:1.0.7-2.el5.s390x",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/dovecot@1.0.7-2.el5?arch=s390x"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "dovecot-debuginfo-0:1.0.7-2.el5.s390x",
                "product": {
                  "name": "dovecot-debuginfo-0:1.0.7-2.el5.s390x",
                  "product_id": "dovecot-debuginfo-0:1.0.7-2.el5.s390x",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/dovecot-debuginfo@1.0.7-2.el5?arch=s390x"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "dovecot-0:1.0.7-2.el5.i386 as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)",
          "product_id": "5Client-Workstation:dovecot-0:1.0.7-2.el5.i386"
        },
        "product_reference": "dovecot-0:1.0.7-2.el5.i386",
        "relates_to_product_reference": "5Client-Workstation"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "dovecot-0:1.0.7-2.el5.ia64 as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)",
          "product_id": "5Client-Workstation:dovecot-0:1.0.7-2.el5.ia64"
        },
        "product_reference": "dovecot-0:1.0.7-2.el5.ia64",
        "relates_to_product_reference": "5Client-Workstation"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "dovecot-0:1.0.7-2.el5.ppc as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)",
          "product_id": "5Client-Workstation:dovecot-0:1.0.7-2.el5.ppc"
        },
        "product_reference": "dovecot-0:1.0.7-2.el5.ppc",
        "relates_to_product_reference": "5Client-Workstation"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "dovecot-0:1.0.7-2.el5.s390x as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)",
          "product_id": "5Client-Workstation:dovecot-0:1.0.7-2.el5.s390x"
        },
        "product_reference": "dovecot-0:1.0.7-2.el5.s390x",
        "relates_to_product_reference": "5Client-Workstation"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "dovecot-0:1.0.7-2.el5.src as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)",
          "product_id": "5Client-Workstation:dovecot-0:1.0.7-2.el5.src"
        },
        "product_reference": "dovecot-0:1.0.7-2.el5.src",
        "relates_to_product_reference": "5Client-Workstation"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "dovecot-0:1.0.7-2.el5.x86_64 as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)",
          "product_id": "5Client-Workstation:dovecot-0:1.0.7-2.el5.x86_64"
        },
        "product_reference": "dovecot-0:1.0.7-2.el5.x86_64",
        "relates_to_product_reference": "5Client-Workstation"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "dovecot-debuginfo-0:1.0.7-2.el5.i386 as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)",
          "product_id": "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.i386"
        },
        "product_reference": "dovecot-debuginfo-0:1.0.7-2.el5.i386",
        "relates_to_product_reference": "5Client-Workstation"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "dovecot-debuginfo-0:1.0.7-2.el5.ia64 as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)",
          "product_id": "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.ia64"
        },
        "product_reference": "dovecot-debuginfo-0:1.0.7-2.el5.ia64",
        "relates_to_product_reference": "5Client-Workstation"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "dovecot-debuginfo-0:1.0.7-2.el5.ppc as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)",
          "product_id": "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.ppc"
        },
        "product_reference": "dovecot-debuginfo-0:1.0.7-2.el5.ppc",
        "relates_to_product_reference": "5Client-Workstation"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "dovecot-debuginfo-0:1.0.7-2.el5.s390x as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)",
          "product_id": "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.s390x"
        },
        "product_reference": "dovecot-debuginfo-0:1.0.7-2.el5.s390x",
        "relates_to_product_reference": "5Client-Workstation"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "dovecot-debuginfo-0:1.0.7-2.el5.x86_64 as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)",
          "product_id": "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.x86_64"
        },
        "product_reference": "dovecot-debuginfo-0:1.0.7-2.el5.x86_64",
        "relates_to_product_reference": "5Client-Workstation"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "dovecot-0:1.0.7-2.el5.i386 as a component of Red Hat Enterprise Linux (v. 5 server)",
          "product_id": "5Server:dovecot-0:1.0.7-2.el5.i386"
        },
        "product_reference": "dovecot-0:1.0.7-2.el5.i386",
        "relates_to_product_reference": "5Server"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "dovecot-0:1.0.7-2.el5.ia64 as a component of Red Hat Enterprise Linux (v. 5 server)",
          "product_id": "5Server:dovecot-0:1.0.7-2.el5.ia64"
        },
        "product_reference": "dovecot-0:1.0.7-2.el5.ia64",
        "relates_to_product_reference": "5Server"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "dovecot-0:1.0.7-2.el5.ppc as a component of Red Hat Enterprise Linux (v. 5 server)",
          "product_id": "5Server:dovecot-0:1.0.7-2.el5.ppc"
        },
        "product_reference": "dovecot-0:1.0.7-2.el5.ppc",
        "relates_to_product_reference": "5Server"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "dovecot-0:1.0.7-2.el5.s390x as a component of Red Hat Enterprise Linux (v. 5 server)",
          "product_id": "5Server:dovecot-0:1.0.7-2.el5.s390x"
        },
        "product_reference": "dovecot-0:1.0.7-2.el5.s390x",
        "relates_to_product_reference": "5Server"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "dovecot-0:1.0.7-2.el5.src as a component of Red Hat Enterprise Linux (v. 5 server)",
          "product_id": "5Server:dovecot-0:1.0.7-2.el5.src"
        },
        "product_reference": "dovecot-0:1.0.7-2.el5.src",
        "relates_to_product_reference": "5Server"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "dovecot-0:1.0.7-2.el5.x86_64 as a component of Red Hat Enterprise Linux (v. 5 server)",
          "product_id": "5Server:dovecot-0:1.0.7-2.el5.x86_64"
        },
        "product_reference": "dovecot-0:1.0.7-2.el5.x86_64",
        "relates_to_product_reference": "5Server"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "dovecot-debuginfo-0:1.0.7-2.el5.i386 as a component of Red Hat Enterprise Linux (v. 5 server)",
          "product_id": "5Server:dovecot-debuginfo-0:1.0.7-2.el5.i386"
        },
        "product_reference": "dovecot-debuginfo-0:1.0.7-2.el5.i386",
        "relates_to_product_reference": "5Server"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "dovecot-debuginfo-0:1.0.7-2.el5.ia64 as a component of Red Hat Enterprise Linux (v. 5 server)",
          "product_id": "5Server:dovecot-debuginfo-0:1.0.7-2.el5.ia64"
        },
        "product_reference": "dovecot-debuginfo-0:1.0.7-2.el5.ia64",
        "relates_to_product_reference": "5Server"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "dovecot-debuginfo-0:1.0.7-2.el5.ppc as a component of Red Hat Enterprise Linux (v. 5 server)",
          "product_id": "5Server:dovecot-debuginfo-0:1.0.7-2.el5.ppc"
        },
        "product_reference": "dovecot-debuginfo-0:1.0.7-2.el5.ppc",
        "relates_to_product_reference": "5Server"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "dovecot-debuginfo-0:1.0.7-2.el5.s390x as a component of Red Hat Enterprise Linux (v. 5 server)",
          "product_id": "5Server:dovecot-debuginfo-0:1.0.7-2.el5.s390x"
        },
        "product_reference": "dovecot-debuginfo-0:1.0.7-2.el5.s390x",
        "relates_to_product_reference": "5Server"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "dovecot-debuginfo-0:1.0.7-2.el5.x86_64 as a component of Red Hat Enterprise Linux (v. 5 server)",
          "product_id": "5Server:dovecot-debuginfo-0:1.0.7-2.el5.x86_64"
        },
        "product_reference": "dovecot-debuginfo-0:1.0.7-2.el5.x86_64",
        "relates_to_product_reference": "5Server"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2007-2231",
      "discovery_date": "2007-04-25T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "238439"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "Directory traversal vulnerability in index/mbox/mbox-storage.c in Dovecot before 1.0.rc29, when using the zlib plugin, allows remote attackers to read arbitrary gzipped (.gz) mailboxes (mbox files) via a .. (dot dot) sequence in the mailbox name.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "Directory traversal in dovecot with zlib plugin",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This issue did not affect Red Hat Enterprise Linux prior to version 5.",
          "title": "Statement"
        }
      ],
      "product_status": {
        "fixed": [
          "5Client-Workstation:dovecot-0:1.0.7-2.el5.i386",
          "5Client-Workstation:dovecot-0:1.0.7-2.el5.ia64",
          "5Client-Workstation:dovecot-0:1.0.7-2.el5.ppc",
          "5Client-Workstation:dovecot-0:1.0.7-2.el5.s390x",
          "5Client-Workstation:dovecot-0:1.0.7-2.el5.src",
          "5Client-Workstation:dovecot-0:1.0.7-2.el5.x86_64",
          "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.i386",
          "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.ia64",
          "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.ppc",
          "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.s390x",
          "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.x86_64",
          "5Server:dovecot-0:1.0.7-2.el5.i386",
          "5Server:dovecot-0:1.0.7-2.el5.ia64",
          "5Server:dovecot-0:1.0.7-2.el5.ppc",
          "5Server:dovecot-0:1.0.7-2.el5.s390x",
          "5Server:dovecot-0:1.0.7-2.el5.src",
          "5Server:dovecot-0:1.0.7-2.el5.x86_64",
          "5Server:dovecot-debuginfo-0:1.0.7-2.el5.i386",
          "5Server:dovecot-debuginfo-0:1.0.7-2.el5.ia64",
          "5Server:dovecot-debuginfo-0:1.0.7-2.el5.ppc",
          "5Server:dovecot-debuginfo-0:1.0.7-2.el5.s390x",
          "5Server:dovecot-debuginfo-0:1.0.7-2.el5.x86_64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2007-2231"
        },
        {
          "category": "external",
          "summary": "RHBZ#238439",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=238439"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2007-2231",
          "url": "https://www.cve.org/CVERecord?id=CVE-2007-2231"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2007-2231",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2007-2231"
        }
      ],
      "release_date": "2007-03-28T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2008-05-20T14:28:00+00:00",
          "details": "Before applying this update, make sure that all previously-released\nerrata relevant to your system have been applied.  \n\nThis update is available via Red Hat Network.  Details on how to use \nthe Red Hat Network to apply this update are available at\nhttp://kbase.redhat.com/faq/FAQ_58_10188",
          "product_ids": [
            "5Client-Workstation:dovecot-0:1.0.7-2.el5.i386",
            "5Client-Workstation:dovecot-0:1.0.7-2.el5.ia64",
            "5Client-Workstation:dovecot-0:1.0.7-2.el5.ppc",
            "5Client-Workstation:dovecot-0:1.0.7-2.el5.s390x",
            "5Client-Workstation:dovecot-0:1.0.7-2.el5.src",
            "5Client-Workstation:dovecot-0:1.0.7-2.el5.x86_64",
            "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.i386",
            "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.ia64",
            "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.ppc",
            "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.s390x",
            "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.x86_64",
            "5Server:dovecot-0:1.0.7-2.el5.i386",
            "5Server:dovecot-0:1.0.7-2.el5.ia64",
            "5Server:dovecot-0:1.0.7-2.el5.ppc",
            "5Server:dovecot-0:1.0.7-2.el5.s390x",
            "5Server:dovecot-0:1.0.7-2.el5.src",
            "5Server:dovecot-0:1.0.7-2.el5.x86_64",
            "5Server:dovecot-debuginfo-0:1.0.7-2.el5.i386",
            "5Server:dovecot-debuginfo-0:1.0.7-2.el5.ia64",
            "5Server:dovecot-debuginfo-0:1.0.7-2.el5.ppc",
            "5Server:dovecot-debuginfo-0:1.0.7-2.el5.s390x",
            "5Server:dovecot-debuginfo-0:1.0.7-2.el5.x86_64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2008:0297"
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Low"
        }
      ],
      "title": "Directory traversal in dovecot with zlib plugin"
    },
    {
      "cve": "CVE-2007-4211",
      "discovery_date": "2007-08-03T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "251007"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "No description is available for this CVE.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "Dovecot possible privilege ascalation in ACL plugin",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "These issues did not affect the dovecot versions as shipped with Red Hat Enterprise Linux 2.1, 3, or 4.",
          "title": "Statement"
        }
      ],
      "product_status": {
        "fixed": [
          "5Client-Workstation:dovecot-0:1.0.7-2.el5.i386",
          "5Client-Workstation:dovecot-0:1.0.7-2.el5.ia64",
          "5Client-Workstation:dovecot-0:1.0.7-2.el5.ppc",
          "5Client-Workstation:dovecot-0:1.0.7-2.el5.s390x",
          "5Client-Workstation:dovecot-0:1.0.7-2.el5.src",
          "5Client-Workstation:dovecot-0:1.0.7-2.el5.x86_64",
          "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.i386",
          "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.ia64",
          "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.ppc",
          "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.s390x",
          "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.x86_64",
          "5Server:dovecot-0:1.0.7-2.el5.i386",
          "5Server:dovecot-0:1.0.7-2.el5.ia64",
          "5Server:dovecot-0:1.0.7-2.el5.ppc",
          "5Server:dovecot-0:1.0.7-2.el5.s390x",
          "5Server:dovecot-0:1.0.7-2.el5.src",
          "5Server:dovecot-0:1.0.7-2.el5.x86_64",
          "5Server:dovecot-debuginfo-0:1.0.7-2.el5.i386",
          "5Server:dovecot-debuginfo-0:1.0.7-2.el5.ia64",
          "5Server:dovecot-debuginfo-0:1.0.7-2.el5.ppc",
          "5Server:dovecot-debuginfo-0:1.0.7-2.el5.s390x",
          "5Server:dovecot-debuginfo-0:1.0.7-2.el5.x86_64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2007-4211"
        },
        {
          "category": "external",
          "summary": "RHBZ#251007",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=251007"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2007-4211",
          "url": "https://www.cve.org/CVERecord?id=CVE-2007-4211"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2007-4211",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2007-4211"
        }
      ],
      "release_date": "2007-08-01T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2008-05-20T14:28:00+00:00",
          "details": "Before applying this update, make sure that all previously-released\nerrata relevant to your system have been applied.  \n\nThis update is available via Red Hat Network.  Details on how to use \nthe Red Hat Network to apply this update are available at\nhttp://kbase.redhat.com/faq/FAQ_58_10188",
          "product_ids": [
            "5Client-Workstation:dovecot-0:1.0.7-2.el5.i386",
            "5Client-Workstation:dovecot-0:1.0.7-2.el5.ia64",
            "5Client-Workstation:dovecot-0:1.0.7-2.el5.ppc",
            "5Client-Workstation:dovecot-0:1.0.7-2.el5.s390x",
            "5Client-Workstation:dovecot-0:1.0.7-2.el5.src",
            "5Client-Workstation:dovecot-0:1.0.7-2.el5.x86_64",
            "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.i386",
            "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.ia64",
            "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.ppc",
            "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.s390x",
            "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.x86_64",
            "5Server:dovecot-0:1.0.7-2.el5.i386",
            "5Server:dovecot-0:1.0.7-2.el5.ia64",
            "5Server:dovecot-0:1.0.7-2.el5.ppc",
            "5Server:dovecot-0:1.0.7-2.el5.s390x",
            "5Server:dovecot-0:1.0.7-2.el5.src",
            "5Server:dovecot-0:1.0.7-2.el5.x86_64",
            "5Server:dovecot-debuginfo-0:1.0.7-2.el5.i386",
            "5Server:dovecot-debuginfo-0:1.0.7-2.el5.ia64",
            "5Server:dovecot-debuginfo-0:1.0.7-2.el5.ppc",
            "5Server:dovecot-debuginfo-0:1.0.7-2.el5.s390x",
            "5Server:dovecot-debuginfo-0:1.0.7-2.el5.x86_64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2008:0297"
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Low"
        }
      ],
      "title": "Dovecot possible privilege ascalation in ACL plugin"
    },
    {
      "cve": "CVE-2007-6598",
      "discovery_date": "2007-12-29T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "427575"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "Dovecot before 1.0.10, with certain configuration options including use of %variables, does not properly maintain the LDAP+auth cache, which might allow remote authenticated users to login as a different user who has the same password.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "dovecot LDAP+auth cache user login mixup",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This issue did not affect versions of Dovecot as shipped with Red Hat Enterprise Linux before version 5.",
          "title": "Statement"
        }
      ],
      "product_status": {
        "fixed": [
          "5Client-Workstation:dovecot-0:1.0.7-2.el5.i386",
          "5Client-Workstation:dovecot-0:1.0.7-2.el5.ia64",
          "5Client-Workstation:dovecot-0:1.0.7-2.el5.ppc",
          "5Client-Workstation:dovecot-0:1.0.7-2.el5.s390x",
          "5Client-Workstation:dovecot-0:1.0.7-2.el5.src",
          "5Client-Workstation:dovecot-0:1.0.7-2.el5.x86_64",
          "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.i386",
          "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.ia64",
          "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.ppc",
          "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.s390x",
          "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.x86_64",
          "5Server:dovecot-0:1.0.7-2.el5.i386",
          "5Server:dovecot-0:1.0.7-2.el5.ia64",
          "5Server:dovecot-0:1.0.7-2.el5.ppc",
          "5Server:dovecot-0:1.0.7-2.el5.s390x",
          "5Server:dovecot-0:1.0.7-2.el5.src",
          "5Server:dovecot-0:1.0.7-2.el5.x86_64",
          "5Server:dovecot-debuginfo-0:1.0.7-2.el5.i386",
          "5Server:dovecot-debuginfo-0:1.0.7-2.el5.ia64",
          "5Server:dovecot-debuginfo-0:1.0.7-2.el5.ppc",
          "5Server:dovecot-debuginfo-0:1.0.7-2.el5.s390x",
          "5Server:dovecot-debuginfo-0:1.0.7-2.el5.x86_64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2007-6598"
        },
        {
          "category": "external",
          "summary": "RHBZ#427575",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=427575"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2007-6598",
          "url": "https://www.cve.org/CVERecord?id=CVE-2007-6598"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2007-6598",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2007-6598"
        }
      ],
      "release_date": "2007-12-29T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2008-05-20T14:28:00+00:00",
          "details": "Before applying this update, make sure that all previously-released\nerrata relevant to your system have been applied.  \n\nThis update is available via Red Hat Network.  Details on how to use \nthe Red Hat Network to apply this update are available at\nhttp://kbase.redhat.com/faq/FAQ_58_10188",
          "product_ids": [
            "5Client-Workstation:dovecot-0:1.0.7-2.el5.i386",
            "5Client-Workstation:dovecot-0:1.0.7-2.el5.ia64",
            "5Client-Workstation:dovecot-0:1.0.7-2.el5.ppc",
            "5Client-Workstation:dovecot-0:1.0.7-2.el5.s390x",
            "5Client-Workstation:dovecot-0:1.0.7-2.el5.src",
            "5Client-Workstation:dovecot-0:1.0.7-2.el5.x86_64",
            "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.i386",
            "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.ia64",
            "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.ppc",
            "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.s390x",
            "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.x86_64",
            "5Server:dovecot-0:1.0.7-2.el5.i386",
            "5Server:dovecot-0:1.0.7-2.el5.ia64",
            "5Server:dovecot-0:1.0.7-2.el5.ppc",
            "5Server:dovecot-0:1.0.7-2.el5.s390x",
            "5Server:dovecot-0:1.0.7-2.el5.src",
            "5Server:dovecot-0:1.0.7-2.el5.x86_64",
            "5Server:dovecot-debuginfo-0:1.0.7-2.el5.i386",
            "5Server:dovecot-debuginfo-0:1.0.7-2.el5.ia64",
            "5Server:dovecot-debuginfo-0:1.0.7-2.el5.ppc",
            "5Server:dovecot-debuginfo-0:1.0.7-2.el5.s390x",
            "5Server:dovecot-debuginfo-0:1.0.7-2.el5.x86_64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2008:0297"
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Low"
        }
      ],
      "title": "dovecot LDAP+auth cache user login mixup"
    },
    {
      "cve": "CVE-2008-1199",
      "discovery_date": "2008-03-01T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "436927"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "Dovecot before 1.0.11, when configured to use mail_extra_groups to allow Dovecot to create dotlocks in /var/mail, might allow local users to read sensitive mail files for other users, or modify files or directories that are writable by group, via a symlink attack.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "dovecot: insecure mail_extra_groups option",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This issue does not affect the default configuration of Dovecot as shipped in Red Hat Enterprise Linux.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "5Client-Workstation:dovecot-0:1.0.7-2.el5.i386",
          "5Client-Workstation:dovecot-0:1.0.7-2.el5.ia64",
          "5Client-Workstation:dovecot-0:1.0.7-2.el5.ppc",
          "5Client-Workstation:dovecot-0:1.0.7-2.el5.s390x",
          "5Client-Workstation:dovecot-0:1.0.7-2.el5.src",
          "5Client-Workstation:dovecot-0:1.0.7-2.el5.x86_64",
          "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.i386",
          "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.ia64",
          "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.ppc",
          "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.s390x",
          "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.x86_64",
          "5Server:dovecot-0:1.0.7-2.el5.i386",
          "5Server:dovecot-0:1.0.7-2.el5.ia64",
          "5Server:dovecot-0:1.0.7-2.el5.ppc",
          "5Server:dovecot-0:1.0.7-2.el5.s390x",
          "5Server:dovecot-0:1.0.7-2.el5.src",
          "5Server:dovecot-0:1.0.7-2.el5.x86_64",
          "5Server:dovecot-debuginfo-0:1.0.7-2.el5.i386",
          "5Server:dovecot-debuginfo-0:1.0.7-2.el5.ia64",
          "5Server:dovecot-debuginfo-0:1.0.7-2.el5.ppc",
          "5Server:dovecot-debuginfo-0:1.0.7-2.el5.s390x",
          "5Server:dovecot-debuginfo-0:1.0.7-2.el5.x86_64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2008-1199"
        },
        {
          "category": "external",
          "summary": "RHBZ#436927",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=436927"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2008-1199",
          "url": "https://www.cve.org/CVERecord?id=CVE-2008-1199"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2008-1199",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2008-1199"
        }
      ],
      "release_date": "2008-03-04T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2008-05-20T14:28:00+00:00",
          "details": "Before applying this update, make sure that all previously-released\nerrata relevant to your system have been applied.  \n\nThis update is available via Red Hat Network.  Details on how to use \nthe Red Hat Network to apply this update are available at\nhttp://kbase.redhat.com/faq/FAQ_58_10188",
          "product_ids": [
            "5Client-Workstation:dovecot-0:1.0.7-2.el5.i386",
            "5Client-Workstation:dovecot-0:1.0.7-2.el5.ia64",
            "5Client-Workstation:dovecot-0:1.0.7-2.el5.ppc",
            "5Client-Workstation:dovecot-0:1.0.7-2.el5.s390x",
            "5Client-Workstation:dovecot-0:1.0.7-2.el5.src",
            "5Client-Workstation:dovecot-0:1.0.7-2.el5.x86_64",
            "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.i386",
            "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.ia64",
            "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.ppc",
            "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.s390x",
            "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.x86_64",
            "5Server:dovecot-0:1.0.7-2.el5.i386",
            "5Server:dovecot-0:1.0.7-2.el5.ia64",
            "5Server:dovecot-0:1.0.7-2.el5.ppc",
            "5Server:dovecot-0:1.0.7-2.el5.s390x",
            "5Server:dovecot-0:1.0.7-2.el5.src",
            "5Server:dovecot-0:1.0.7-2.el5.x86_64",
            "5Server:dovecot-debuginfo-0:1.0.7-2.el5.i386",
            "5Server:dovecot-debuginfo-0:1.0.7-2.el5.ia64",
            "5Server:dovecot-debuginfo-0:1.0.7-2.el5.ppc",
            "5Server:dovecot-debuginfo-0:1.0.7-2.el5.s390x",
            "5Server:dovecot-debuginfo-0:1.0.7-2.el5.x86_64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2008:0297"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "HIGH",
            "accessVector": "LOCAL",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 3.7,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:L/AC:H/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          "products": [
            "5Client-Workstation:dovecot-0:1.0.7-2.el5.i386",
            "5Client-Workstation:dovecot-0:1.0.7-2.el5.ia64",
            "5Client-Workstation:dovecot-0:1.0.7-2.el5.ppc",
            "5Client-Workstation:dovecot-0:1.0.7-2.el5.s390x",
            "5Client-Workstation:dovecot-0:1.0.7-2.el5.src",
            "5Client-Workstation:dovecot-0:1.0.7-2.el5.x86_64",
            "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.i386",
            "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.ia64",
            "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.ppc",
            "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.s390x",
            "5Client-Workstation:dovecot-debuginfo-0:1.0.7-2.el5.x86_64",
            "5Server:dovecot-0:1.0.7-2.el5.i386",
            "5Server:dovecot-0:1.0.7-2.el5.ia64",
            "5Server:dovecot-0:1.0.7-2.el5.ppc",
            "5Server:dovecot-0:1.0.7-2.el5.s390x",
            "5Server:dovecot-0:1.0.7-2.el5.src",
            "5Server:dovecot-0:1.0.7-2.el5.x86_64",
            "5Server:dovecot-debuginfo-0:1.0.7-2.el5.i386",
            "5Server:dovecot-debuginfo-0:1.0.7-2.el5.ia64",
            "5Server:dovecot-debuginfo-0:1.0.7-2.el5.ppc",
            "5Server:dovecot-debuginfo-0:1.0.7-2.el5.s390x",
            "5Server:dovecot-debuginfo-0:1.0.7-2.el5.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Low"
        }
      ],
      "title": "dovecot: insecure mail_extra_groups option"
    }
  ]
}

FKIE_CVE-2008-1199

Vulnerability from fkie_nvd - Published: 2008-03-06 21:44 - Updated: 2025-04-09 00:30

Severity ?

Summary

References

URL	Tags
cve@mitre.org	http://lists.opensuse.org/opensuse-security-announce/2008-10/msg00004.html
cve@mitre.org	http://secunia.com/advisories/29226
cve@mitre.org	http://secunia.com/advisories/29385
cve@mitre.org	http://secunia.com/advisories/29396
cve@mitre.org	http://secunia.com/advisories/29557
cve@mitre.org	http://secunia.com/advisories/30342
cve@mitre.org	http://secunia.com/advisories/32151
cve@mitre.org	http://security.gentoo.org/glsa/glsa-200803-25.xml
cve@mitre.org	http://www.debian.org/security/2008/dsa-1516
cve@mitre.org	http://www.dovecot.org/list/dovecot-news/2008-March/000061.html	Patch
cve@mitre.org	http://www.redhat.com/support/errata/RHSA-2008-0297.html
cve@mitre.org	http://www.securityfocus.com/archive/1/489133/100/0/threaded
cve@mitre.org	http://www.securityfocus.com/bid/28092	Patch
cve@mitre.org	https://exchange.xforce.ibmcloud.com/vulnerabilities/41009
cve@mitre.org	https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10739
cve@mitre.org	https://usn.ubuntu.com/593-1/
cve@mitre.org	https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00358.html
cve@mitre.org	https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00381.html
af854a3a-2127-422b-91ae-364da2661108	http://lists.opensuse.org/opensuse-security-announce/2008-10/msg00004.html
af854a3a-2127-422b-91ae-364da2661108	http://secunia.com/advisories/29226
af854a3a-2127-422b-91ae-364da2661108	http://secunia.com/advisories/29385
af854a3a-2127-422b-91ae-364da2661108	http://secunia.com/advisories/29396
af854a3a-2127-422b-91ae-364da2661108	http://secunia.com/advisories/29557
af854a3a-2127-422b-91ae-364da2661108	http://secunia.com/advisories/30342
af854a3a-2127-422b-91ae-364da2661108	http://secunia.com/advisories/32151
af854a3a-2127-422b-91ae-364da2661108	http://security.gentoo.org/glsa/glsa-200803-25.xml
af854a3a-2127-422b-91ae-364da2661108	http://www.debian.org/security/2008/dsa-1516
af854a3a-2127-422b-91ae-364da2661108	http://www.dovecot.org/list/dovecot-news/2008-March/000061.html	Patch
af854a3a-2127-422b-91ae-364da2661108	http://www.redhat.com/support/errata/RHSA-2008-0297.html
af854a3a-2127-422b-91ae-364da2661108	http://www.securityfocus.com/archive/1/489133/100/0/threaded
af854a3a-2127-422b-91ae-364da2661108	http://www.securityfocus.com/bid/28092	Patch
af854a3a-2127-422b-91ae-364da2661108	https://exchange.xforce.ibmcloud.com/vulnerabilities/41009
af854a3a-2127-422b-91ae-364da2661108	https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10739
af854a3a-2127-422b-91ae-364da2661108	https://usn.ubuntu.com/593-1/
af854a3a-2127-422b-91ae-364da2661108	https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00358.html
af854a3a-2127-422b-91ae-364da2661108	https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00381.html

Impacted products

Vendor	Product	Version
dovecot	dovecot	0.99.13
dovecot	dovecot	0.99.14
dovecot	dovecot	1.0
dovecot	dovecot	1.0.2
dovecot	dovecot	1.0.3
dovecot	dovecot	1.0.4
dovecot	dovecot	1.0.5
dovecot	dovecot	1.0.6
dovecot	dovecot	1.0.7
dovecot	dovecot	1.0.8
dovecot	dovecot	1.0.9
dovecot	dovecot	1.0.10
dovecot	dovecot	1.0.beta2
dovecot	dovecot	1.0.beta3
dovecot	dovecot	1.0.beta7
dovecot	dovecot	1.0.beta8
dovecot	dovecot	1.0.rc1
dovecot	dovecot	1.0.rc2
dovecot	dovecot	1.0.rc3
dovecot	dovecot	1.0.rc4
dovecot	dovecot	1.0.rc5
dovecot	dovecot	1.0.rc6
dovecot	dovecot	1.0.rc7
dovecot	dovecot	1.0.rc8
dovecot	dovecot	1.0.rc9
dovecot	dovecot	1.0.rc10
dovecot	dovecot	1.0.rc11
dovecot	dovecot	1.0.rc12
dovecot	dovecot	1.0.rc13
dovecot	dovecot	1.0.rc14
dovecot	dovecot	1.0.rc15
dovecot	dovecot	1.0_rc29

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:dovecot:dovecot:0.99.13:*:*:*:*:*:*:*",
              "matchCriteriaId": "D0616CCF-D278-4B6D-A58B-393BCA128CF1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:dovecot:dovecot:0.99.14:*:*:*:*:*:*:*",
              "matchCriteriaId": "D3C7BE64-7C1E-4043-A1C5-D0A7377C01A7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:dovecot:dovecot:1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "4240BD98-3C31-42CE-AF8F-045DD4BFC084",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:dovecot:dovecot:1.0.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "1C05ACA0-ED87-4DDF-94B6-8D25BE1790F1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:dovecot:dovecot:1.0.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "8A8C0C4A-F9DB-4BB7-BFC5-BEC22C3FE40B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:dovecot:dovecot:1.0.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "B7E00B56-A1E5-4261-8349-37654AA9FB64",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:dovecot:dovecot:1.0.5:*:*:*:*:*:*:*",
              "matchCriteriaId": "E66427AA-A9D4-413F-8354-EA61407307C1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:dovecot:dovecot:1.0.6:*:*:*:*:*:*:*",
              "matchCriteriaId": "D74BE6C7-114D-4885-8472-FFE71C817B8A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:dovecot:dovecot:1.0.7:*:*:*:*:*:*:*",
              "matchCriteriaId": "4A349510-4D00-4978-93D9-3F9F5E0CD8DE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:dovecot:dovecot:1.0.8:*:*:*:*:*:*:*",
              "matchCriteriaId": "B65B9EFD-1531-463C-992E-F0F16AABF9C3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:dovecot:dovecot:1.0.9:*:*:*:*:*:*:*",
              "matchCriteriaId": "34BA7146-5793-44F4-9569-9D868FE6E325",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:dovecot:dovecot:1.0.10:*:*:*:*:*:*:*",
              "matchCriteriaId": "B5078363-6B42-491B-A219-F8D8A86132BF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:dovecot:dovecot:1.0.beta2:*:*:*:*:*:*:*",
              "matchCriteriaId": "9D680474-C329-4DD0-B4EA-2406E27EC474",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:dovecot:dovecot:1.0.beta3:*:*:*:*:*:*:*",
              "matchCriteriaId": "165A0D0B-C6B0-431F-BF36-223A27CD6A42",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:dovecot:dovecot:1.0.beta7:*:*:*:*:*:*:*",
              "matchCriteriaId": "99268D48-CF82-450B-A033-D87AF4109531",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:dovecot:dovecot:1.0.beta8:*:*:*:*:*:*:*",
              "matchCriteriaId": "B2E09737-8107-45C0-BFF1-FB4CF81564CD",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:dovecot:dovecot:1.0.rc1:*:*:*:*:*:*:*",
              "matchCriteriaId": "91E74D81-DF10-423A-8549-3BB5ED02B5A6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:dovecot:dovecot:1.0.rc2:*:*:*:*:*:*:*",
              "matchCriteriaId": "07D6853E-7E81-443D-8806-C8469217F55C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:dovecot:dovecot:1.0.rc3:*:*:*:*:*:*:*",
              "matchCriteriaId": "D1BE4B6A-47A2-457B-B6B8-8FE5C2026A11",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:dovecot:dovecot:1.0.rc4:*:*:*:*:*:*:*",
              "matchCriteriaId": "7382F655-9B27-443D-9397-346FBEADEFDA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:dovecot:dovecot:1.0.rc5:*:*:*:*:*:*:*",
              "matchCriteriaId": "6F180045-A0DA-40A3-AD3E-F3402FB6456A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:dovecot:dovecot:1.0.rc6:*:*:*:*:*:*:*",
              "matchCriteriaId": "C1A2FFE7-D008-47B4-80E7-AEC176918E06",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:dovecot:dovecot:1.0.rc7:*:*:*:*:*:*:*",
              "matchCriteriaId": "8C840337-7B31-476B-BBCD-65F4899925E6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:dovecot:dovecot:1.0.rc8:*:*:*:*:*:*:*",
              "matchCriteriaId": "545EF2F5-9BAE-4612-9958-70A5413818A6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:dovecot:dovecot:1.0.rc9:*:*:*:*:*:*:*",
              "matchCriteriaId": "E80096F8-46D9-42E3-8CDB-99ADA2CBD970",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:dovecot:dovecot:1.0.rc10:*:*:*:*:*:*:*",
              "matchCriteriaId": "9E504866-3429-4A4C-8278-5C2753D356C7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:dovecot:dovecot:1.0.rc11:*:*:*:*:*:*:*",
              "matchCriteriaId": "30857130-636F-4719-9F1E-8F6369F40DAC",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:dovecot:dovecot:1.0.rc12:*:*:*:*:*:*:*",
              "matchCriteriaId": "9843D7CE-4723-4200-AFD4-5B31545A287E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:dovecot:dovecot:1.0.rc13:*:*:*:*:*:*:*",
              "matchCriteriaId": "54AF1D92-D89B-4DE4-9D47-72466873A4C7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:dovecot:dovecot:1.0.rc14:*:*:*:*:*:*:*",
              "matchCriteriaId": "64A8FCA5-1666-48F7-9689-37D9315813F7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:dovecot:dovecot:1.0.rc15:*:*:*:*:*:*:*",
              "matchCriteriaId": "D4D517F3-F0A8-4362-89B9-0ED63515283F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:dovecot:dovecot:1.0_rc29:*:*:*:*:*:*:*",
              "matchCriteriaId": "3AAE9E7C-49CC-48C3-B47C-CDC5802356A7",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Dovecot before 1.0.11, when configured to use mail_extra_groups to allow Dovecot to create dotlocks in /var/mail, might allow local users to read sensitive mail files for other users, or modify files or directories that are writable by group, via a symlink attack."
    },
    {
      "lang": "es",
      "value": "Dovecot antes de 1.0.11, cuando se configura para utilizar mail_extra_groups para permitir a Dovecot crear dotlocks en /var/mail, podr\u00eda permitir a usuarios locales leer archivos de mail sensibles para otros usuarios, o modificar archivos o directorios que sean escribibles por el grupo, a trav\u00e9s de un ataque de enlaces simb\u00f3licos."
    }
  ],
  "id": "CVE-2008-1199",
  "lastModified": "2025-04-09T00:30:58.490",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "LOCAL",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 4.4,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 3.4,
        "impactScore": 6.4,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ]
  },
  "published": "2008-03-06T21:44:00.000",
  "references": [
    {
      "source": "cve@mitre.org",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2008-10/msg00004.html"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://secunia.com/advisories/29226"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://secunia.com/advisories/29385"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://secunia.com/advisories/29396"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://secunia.com/advisories/29557"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://secunia.com/advisories/30342"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://secunia.com/advisories/32151"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://security.gentoo.org/glsa/glsa-200803-25.xml"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://www.debian.org/security/2008/dsa-1516"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Patch"
      ],
      "url": "http://www.dovecot.org/list/dovecot-news/2008-March/000061.html"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://www.redhat.com/support/errata/RHSA-2008-0297.html"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://www.securityfocus.com/archive/1/489133/100/0/threaded"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Patch"
      ],
      "url": "http://www.securityfocus.com/bid/28092"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/41009"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10739"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://usn.ubuntu.com/593-1/"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00358.html"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00381.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2008-10/msg00004.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://secunia.com/advisories/29226"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://secunia.com/advisories/29385"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://secunia.com/advisories/29396"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://secunia.com/advisories/29557"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://secunia.com/advisories/30342"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://secunia.com/advisories/32151"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://security.gentoo.org/glsa/glsa-200803-25.xml"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.debian.org/security/2008/dsa-1516"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "http://www.dovecot.org/list/dovecot-news/2008-March/000061.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.redhat.com/support/errata/RHSA-2008-0297.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.securityfocus.com/archive/1/489133/100/0/threaded"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "http://www.securityfocus.com/bid/28092"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/41009"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10739"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://usn.ubuntu.com/593-1/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00358.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00381.html"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vendorComments": [
    {
      "comment": "Red Hat is aware of this issue and is tracking it via the following bug:\nhttps://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2008-1199\n\nThis issue does not affect the default configuration of Dovecot as shipped in Red Hat Enterprise Linux.\n\nThe Red Hat Security Response Team has rated this issue as having moderate security impact, a future update may address this flaw. \n\nAn update to Red Hat Enterprise Linux 5 was released to correct this issue:\nhttps://rhn.redhat.com/errata/RHSA-2008-0297.html\n",
      "lastModified": "2008-05-21T00:00:00",
      "organization": "Red Hat"
    }
  ],
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-16"
        },
        {
          "lang": "en",
          "value": "CWE-59"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GHSA-778F-C3R9-6VMP

Vulnerability from github – Published: 2022-05-01 23:37 – Updated: 2025-04-09 03:52

Details

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2008-1199"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2008-03-06T21:44:00Z",
    "severity": "MODERATE"
  },
  "details": "Dovecot before 1.0.11, when configured to use mail_extra_groups to allow Dovecot to create dotlocks in /var/mail, might allow local users to read sensitive mail files for other users, or modify files or directories that are writable by group, via a symlink attack.",
  "id": "GHSA-778f-c3r9-6vmp",
  "modified": "2025-04-09T03:52:15Z",
  "published": "2022-05-01T23:37:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2008-1199"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/41009"
    },
    {
      "type": "WEB",
      "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10739"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/593-1"
    },
    {
      "type": "WEB",
      "url": "https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00358.html"
    },
    {
      "type": "WEB",
      "url": "https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00381.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2008-10/msg00004.html"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/29226"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/29385"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/29396"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/29557"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/30342"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/32151"
    },
    {
      "type": "WEB",
      "url": "http://security.gentoo.org/glsa/glsa-200803-25.xml"
    },
    {
      "type": "WEB",
      "url": "http://www.debian.org/security/2008/dsa-1516"
    },
    {
      "type": "WEB",
      "url": "http://www.dovecot.org/list/dovecot-news/2008-March/000061.html"
    },
    {
      "type": "WEB",
      "url": "http://www.redhat.com/support/errata/RHSA-2008-0297.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/archive/1/489133/100/0/threaded"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/28092"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GSD-2008-1199

Vulnerability from gsd - Updated: 2023-12-13 01:23

Details

Aliases

CVE-2008-1199

Aliases

CVE-2008-1199

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2008-1199",
    "description": "Dovecot before 1.0.11, when configured to use mail_extra_groups to allow Dovecot to create dotlocks in /var/mail, might allow local users to read sensitive mail files for other users, or modify files or directories that are writable by group, via a symlink attack.",
    "id": "GSD-2008-1199",
    "references": [
      "https://www.suse.com/security/cve/CVE-2008-1199.html",
      "https://www.debian.org/security/2008/dsa-1516",
      "https://access.redhat.com/errata/RHSA-2008:0297",
      "https://linux.oracle.com/cve/CVE-2008-1199.html"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2008-1199"
      ],
      "details": "Dovecot before 1.0.11, when configured to use mail_extra_groups to allow Dovecot to create dotlocks in /var/mail, might allow local users to read sensitive mail files for other users, or modify files or directories that are writable by group, via a symlink attack.",
      "id": "GSD-2008-1199",
      "modified": "2023-12-13T01:23:03.318069Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cve@mitre.org",
        "ID": "CVE-2008-1199",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Dovecot before 1.0.11, when configured to use mail_extra_groups to allow Dovecot to create dotlocks in /var/mail, might allow local users to read sensitive mail files for other users, or modify files or directories that are writable by group, via a symlink attack."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "GLSA-200803-25",
            "refsource": "GENTOO",
            "url": "http://security.gentoo.org/glsa/glsa-200803-25.xml"
          },
          {
            "name": "oval:org.mitre.oval:def:10739",
            "refsource": "OVAL",
            "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10739"
          },
          {
            "name": "[Dovecot-news] 20080504 v1.0.11 released",
            "refsource": "MLIST",
            "url": "http://www.dovecot.org/list/dovecot-news/2008-March/000061.html"
          },
          {
            "name": "29557",
            "refsource": "SECUNIA",
            "url": "http://secunia.com/advisories/29557"
          },
          {
            "name": "20080304 Dovecot mail_extra_groups setting is often used insecurely",
            "refsource": "BUGTRAQ",
            "url": "http://www.securityfocus.com/archive/1/489133/100/0/threaded"
          },
          {
            "name": "30342",
            "refsource": "SECUNIA",
            "url": "http://secunia.com/advisories/30342"
          },
          {
            "name": "RHSA-2008:0297",
            "refsource": "REDHAT",
            "url": "http://www.redhat.com/support/errata/RHSA-2008-0297.html"
          },
          {
            "name": "DSA-1516",
            "refsource": "DEBIAN",
            "url": "http://www.debian.org/security/2008/dsa-1516"
          },
          {
            "name": "USN-593-1",
            "refsource": "UBUNTU",
            "url": "https://usn.ubuntu.com/593-1/"
          },
          {
            "name": "FEDORA-2008-2475",
            "refsource": "FEDORA",
            "url": "https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00381.html"
          },
          {
            "name": "SUSE-SR:2008:020",
            "refsource": "SUSE",
            "url": "http://lists.opensuse.org/opensuse-security-announce/2008-10/msg00004.html"
          },
          {
            "name": "28092",
            "refsource": "BID",
            "url": "http://www.securityfocus.com/bid/28092"
          },
          {
            "name": "29226",
            "refsource": "SECUNIA",
            "url": "http://secunia.com/advisories/29226"
          },
          {
            "name": "32151",
            "refsource": "SECUNIA",
            "url": "http://secunia.com/advisories/32151"
          },
          {
            "name": "29385",
            "refsource": "SECUNIA",
            "url": "http://secunia.com/advisories/29385"
          },
          {
            "name": "dovecot-mailextragroups-unauth-access(41009)",
            "refsource": "XF",
            "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/41009"
          },
          {
            "name": "FEDORA-2008-2464",
            "refsource": "FEDORA",
            "url": "https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00358.html"
          },
          {
            "name": "29396",
            "refsource": "SECUNIA",
            "url": "http://secunia.com/advisories/29396"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:dovecot:dovecot:1.0.4:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:dovecot:dovecot:1.0.5:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:dovecot:dovecot:1.0.beta7:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:dovecot:dovecot:1.0.beta8:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:dovecot:dovecot:1.0.rc2:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:dovecot:dovecot:1.0.rc3:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:dovecot:dovecot:1.0_rc29:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:dovecot:dovecot:1.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:dovecot:dovecot:1.0.10:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:dovecot:dovecot:1.0.8:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:dovecot:dovecot:1.0.9:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:dovecot:dovecot:1.0.rc11:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:dovecot:dovecot:1.0.rc12:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:dovecot:dovecot:1.0.rc13:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:dovecot:dovecot:1.0.rc6:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:dovecot:dovecot:1.0.rc7:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:dovecot:dovecot:0.99.13:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:dovecot:dovecot:0.99.14:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:dovecot:dovecot:1.0.6:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:dovecot:dovecot:1.0.7:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:dovecot:dovecot:1.0.rc1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:dovecot:dovecot:1.0.rc10:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:dovecot:dovecot:1.0.rc4:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:dovecot:dovecot:1.0.rc5:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:dovecot:dovecot:1.0.2:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:dovecot:dovecot:1.0.3:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:dovecot:dovecot:1.0.beta2:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:dovecot:dovecot:1.0.beta3:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:dovecot:dovecot:1.0.rc14:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:dovecot:dovecot:1.0.rc15:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:dovecot:dovecot:1.0.rc8:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:dovecot:dovecot:1.0.rc9:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2008-1199"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Dovecot before 1.0.11, when configured to use mail_extra_groups to allow Dovecot to create dotlocks in /var/mail, might allow local users to read sensitive mail files for other users, or modify files or directories that are writable by group, via a symlink attack."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-16"
                },
                {
                  "lang": "en",
                  "value": "CWE-59"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "[Dovecot-news] 20080504 v1.0.11 released",
              "refsource": "MLIST",
              "tags": [
                "Patch"
              ],
              "url": "http://www.dovecot.org/list/dovecot-news/2008-March/000061.html"
            },
            {
              "name": "28092",
              "refsource": "BID",
              "tags": [
                "Patch"
              ],
              "url": "http://www.securityfocus.com/bid/28092"
            },
            {
              "name": "FEDORA-2008-2464",
              "refsource": "FEDORA",
              "tags": [],
              "url": "https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00358.html"
            },
            {
              "name": "FEDORA-2008-2475",
              "refsource": "FEDORA",
              "tags": [],
              "url": "https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00381.html"
            },
            {
              "name": "29226",
              "refsource": "SECUNIA",
              "tags": [],
              "url": "http://secunia.com/advisories/29226"
            },
            {
              "name": "DSA-1516",
              "refsource": "DEBIAN",
              "tags": [],
              "url": "http://www.debian.org/security/2008/dsa-1516"
            },
            {
              "name": "GLSA-200803-25",
              "refsource": "GENTOO",
              "tags": [],
              "url": "http://security.gentoo.org/glsa/glsa-200803-25.xml"
            },
            {
              "name": "29385",
              "refsource": "SECUNIA",
              "tags": [],
              "url": "http://secunia.com/advisories/29385"
            },
            {
              "name": "29396",
              "refsource": "SECUNIA",
              "tags": [],
              "url": "http://secunia.com/advisories/29396"
            },
            {
              "name": "29557",
              "refsource": "SECUNIA",
              "tags": [],
              "url": "http://secunia.com/advisories/29557"
            },
            {
              "name": "32151",
              "refsource": "SECUNIA",
              "tags": [],
              "url": "http://secunia.com/advisories/32151"
            },
            {
              "name": "SUSE-SR:2008:020",
              "refsource": "SUSE",
              "tags": [],
              "url": "http://lists.opensuse.org/opensuse-security-announce/2008-10/msg00004.html"
            },
            {
              "name": "30342",
              "refsource": "SECUNIA",
              "tags": [],
              "url": "http://secunia.com/advisories/30342"
            },
            {
              "name": "RHSA-2008:0297",
              "refsource": "REDHAT",
              "tags": [],
              "url": "http://www.redhat.com/support/errata/RHSA-2008-0297.html"
            },
            {
              "name": "dovecot-mailextragroups-unauth-access(41009)",
              "refsource": "XF",
              "tags": [],
              "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/41009"
            },
            {
              "name": "oval:org.mitre.oval:def:10739",
              "refsource": "OVAL",
              "tags": [],
              "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10739"
            },
            {
              "name": "USN-593-1",
              "refsource": "UBUNTU",
              "tags": [],
              "url": "https://usn.ubuntu.com/593-1/"
            },
            {
              "name": "20080304 Dovecot mail_extra_groups setting is often used insecurely",
              "refsource": "BUGTRAQ",
              "tags": [],
              "url": "http://www.securityfocus.com/archive/1/489133/100/0/threaded"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "cvssV2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "LOCAL",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 4.4,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 3.4,
          "impactScore": 6.4,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        }
      },
      "lastModifiedDate": "2018-10-11T20:30Z",
      "publishedDate": "2008-03-06T21:44Z"
    }
  }
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2008-1199 (GCVE-0-2008-1199)

RHSA-2008_0297

RHSA-2008:0297

FKIE_CVE-2008-1199

GHSA-778F-C3R9-6VMP

GSD-2008-1199

Tags

Sightings

Nomenclature