Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <1294336610.1198571286220608206.JavaMail.root@zmail01.collab.prod.int.phx2.redhat.com>
Date: Mon, 4 Oct 2010 15:30:08 -0400 (EDT)
From: Josh Bressers <bressers@...hat.com>
To: oss-security@...ts.openwall.com
Cc: Timo Sirainen <tss@....fi>, coley <coley@...re.org>
Subject: Re: CVE Request: more dovecot ACL issues


----- "Ludwig Nussel" <ludwig.nussel@...e.de> wrote:

> Hi,
> 
> dovecot 1.2.15 fixes issues with ACLs:
> http://www.dovecot.org/list/dovecot/2010-October/053450.html
> http://www.dovecot.org/list/dovecot/2010-October/053452.html
> 

If I'm understanding this correctly based off
http://www.dovecot.org/list/dovecot/2010-October/053452.html

There are two issues here:

a) If admin wanted to remove some rights from mailboxes in user's
private namespace (e.g. symlinked shared mailboxes), they may not have
gotten removed.

Use CVE-2010-3706 for this one.


b) When mixing up multiple ACL entries, such as groups/users the more
specific entry may not have replaced the previous entry (e.g.
group-override may not have worked as expected).

Use CVE-2010-3707.

Thanks.

-- 
    JB

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.