<<< Date Index >>>     <<< Thread Index >>>

Re: rPSA-2008-0001-1 dovecot



Steven M. Christey wrote:
No, CVE-2007-6598 is correct.
> [snip]
The announcement from Timo Sirainen, the upstream developer, does not
mention nss_ldap :

  http://dovecot.org/list/dovecot-news/2007-December/000057.html
  http://dovecot.org/list/dovecot-news/2007-December/000058.html

... so perhaps some clarification is in order.

rPath fixed the nss_ldap issue a month ago with rPSA-2007-0255-1. Our mailing list archived it at http://lists.rpath.com/pipermail/security-announce/2007-November/000284.html, but it should have been sent to bugtraq as well.

The fix did not require any modifications to dovecot, so that is why dovecot wasn't mentioned in the advisory.

        smithj