Re: rPSA-2008-0001-1 dovecot

To: "Steven M. Christey" <coley@xxxxxxxxx>
Subject: Re: rPSA-2008-0001-1 dovecot
From: Jonathan Smith <smithj@xxxxxxxxx>
Date: Thu, 03 Jan 2008 22:31:59 -0900
Cc: dom@xxxxxxxx, bugtraq@xxxxxxxxxxxxxxxxx
In-reply-to: <200801040113.m041D4p5021000@xxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <200801040113.m041D4p5021000@xxxxxxxxxxxxxxx>
User-agent: Thunderbird 2.0.0.6 (X11/20071117)

Steven M. Christey wrote:

No, CVE-2007-6598 is correct.

> [snip]

The announcement from Timo Sirainen, the upstream developer, does not
mention nss_ldap :

  http://dovecot.org/list/dovecot-news/2007-December/000057.html
  http://dovecot.org/list/dovecot-news/2007-December/000058.html

... so perhaps some clarification is in order.

rPath fixed the nss_ldap issue a month ago with rPSA-2007-0255-1. Ourmailing list archived it athttp://lists.rpath.com/pipermail/security-announce/2007-November/000284.html,but it should have been sent to bugtraq as well.

The fix did not require any modifications to dovecot, so that is whydovecot wasn't mentioned in the advisory.


        smithj

References:
- Re: rPSA-2008-0001-1 dovecot
  - From: Steven M. Christey

Prev by Date: Re: rPSA-2008-0001-1 dovecot
Next by Date: Some DoS in some telnet servers
Previous by thread: Re: rPSA-2008-0001-1 dovecot
Next by thread: multiple CAPTCHA automation test bypass digest
Index(es):
- Date
- Thread