<<< Date Index >>>     <<< Thread Index >>>

Re: rPSA-2008-0001-1 dovecot



>> References:
>> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6598
>
>This CVE does not exist - do you mean
>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5794

No, CVE-2007-6598 is correct.  Sometimes a CVE number is publicly used
before it has been updated on the public CVE web server, especially
with Linux distros (a couple Debian advisories today currently have
the same issue).  This "race condition" is an artifact of our CVE
reservation and web site processes.  This particular item will be on
the CVE site shortly.

>> http://wiki.rpath.com/Advisories:rPSA-2008-0001
>
>This is rather misleading - the bug was not in Dovecot, but in
>nss_ldap.  You may have put a workaround into Dovecot, but it would
>have been polite to mention this fact.

The announcement from Timo Sirainen, the upstream developer, does not
mention nss_ldap :

  http://dovecot.org/list/dovecot-news/2007-December/000057.html
  http://dovecot.org/list/dovecot-news/2007-December/000058.html

... so perhaps some clarification is in order.

- Steve