oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CVE Request: more dovecot ACL issues

From: Josh Bressers <bressers () redhat com>
Date: Mon, 4 Oct 2010 15:30:08 -0400 (EDT)

----- "Ludwig Nussel" <ludwig.nussel () suse de> wrote:


Hi,

dovecot 1.2.15 fixes issues with ACLs:
http://www.dovecot.org/list/dovecot/2010-October/053450.html
http://www.dovecot.org/list/dovecot/2010-October/053452.html



If I'm understanding this correctly based off
http://www.dovecot.org/list/dovecot/2010-October/053452.html

There are two issues here:

a) If admin wanted to remove some rights from mailboxes in user's
private namespace (e.g. symlinked shared mailboxes), they may not have
gotten removed.

Use CVE-2010-3706 for this one.


b) When mixing up multiple ACL entries, such as groups/users the more
specific entry may not have replaced the previous entry (e.g.
group-override may not have worked as expected).

Use CVE-2010-3707.

Thanks.

-- 
    JB
Previous By Date Next
Previous By Thread Next

Current thread: