oss-sec mailing list archives
Re: CVE Request: more dovecot ACL issues
From: Josh Bressers <bressers () redhat com>
Date: Mon, 4 Oct 2010 15:30:08 -0400 (EDT)
----- "Ludwig Nussel" <ludwig.nussel () suse de> wrote:
Hi, dovecot 1.2.15 fixes issues with ACLs: http://www.dovecot.org/list/dovecot/2010-October/053450.html http://www.dovecot.org/list/dovecot/2010-October/053452.html
If I'm understanding this correctly based off http://www.dovecot.org/list/dovecot/2010-October/053452.html There are two issues here: a) If admin wanted to remove some rights from mailboxes in user's private namespace (e.g. symlinked shared mailboxes), they may not have gotten removed. Use CVE-2010-3706 for this one. b) When mixing up multiple ACL entries, such as groups/users the more specific entry may not have replaced the previous entry (e.g. group-override may not have worked as expected). Use CVE-2010-3707. Thanks. -- JB
Current thread:
- CVE Request: more dovecot ACL issues Ludwig Nussel (Oct 04)
- Re: CVE Request: more dovecot ACL issues Josh Bressers (Oct 04)