Re: [ MDVSA-2008:232 ] dovecot

To: xsecurity@xxxxxxxxxxxx
Subject: Re: [ MDVSA-2008:232 ] dovecot
From: Eygene Ryabinkin <rea-sec@xxxxxxxxxxx>
Date: Thu, 20 Nov 2008 00:52:45 +0300
Cc: bugtraq@xxxxxxxxxxxxxxxxx
Domainkey-signature: a=rsa-sha1; q=dns; c=simple; s=one; d=codelabs.ru; h=Received:Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:Content-Type:Content-Disposition:Content-Transfer-Encoding:In-Reply-To:Sender; b=aXcV96J4ksVaTLL3v8epmOYZU4eHjcDBXXQr7Y+0FX1y7Yj4R3vufcZU00JN8bl+UDN6bY7wBZF6LWKcQXGxcs+FBZ90xNXL/jFf40h4E/x1FYmCPrqkzw4B3ga61EO2ydK/M9FnJnwNofgGi/tHkpwpn9FY8sONFRX3a+j4aDY=;
In-reply-to: <E1L2u9Y-0007rd-Da@xxxxxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <E1L2u9Y-0007rd-Da@xxxxxxxxxxxxxxxxxx>
Sender: rea-sec@xxxxxxxxxxx

Good day.

Wed, Nov 19, 2008 at 02:00:00PM -0700, security@xxxxxxxxxxxx wrote:
>  The ACL plugin in dovecot prior to version 1.1.6 allowed attackers to
>  bypass intended access restrictions by using the 'k' right to create
>  unauthorized 'parent/child/child' mailboxes (CVE-2008-4578).

Are you really sure that it should be 1.1.6?  This bug is documented
in the 1.1.4 release notes,
  http://www.dovecot.org/list/dovecot-news/2008-October/000085.html
and CVE entry speaks about 1.1.4 too.
-- 
Eygene

References:
- [ MDVSA-2008:232 ] dovecot
  - From: security

Prev by Date: Re: Re: Re: Re: Opera 9.6x file:// overflow
Next by Date: Re: Re: Re: Re: Opera 9.6x file:// overflow
Previous by thread: [ MDVSA-2008:232 ] dovecot
Next by thread: [USN-674-1] HPLIP vulnerabilities
Index(es):
- Date
- Thread