Bug 643715 - VUL-0: dovecot 1.2.15 fixes ACL issues
VUL-0: dovecot 1.2.15 fixes ACL issues
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: General
unspecified
Other Other
: P2 - High : Normal
: ---
Assigned To: Security Team bot
Security Team bot
maint:released:11.2:36776 maint:relea...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2010-10-05 06:13 UTC by Ludwig Nussel
Modified: 2010-10-29 08:32 UTC (History)
2 users (show)

See Also:
Found By: Other
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Ludwig Nussel 2010-10-05 06:13:07 UTC
Your friendly security team received the following report via oss-security.
Please respond ASAP.
The issue is public.

------------------------------------------------------------------------------
Date: Mon, 4 Oct 2010 15:30:08 -0400 (EDT)
From: Josh Bressers <bressers@redhat.com>
Subject: Re: [oss-security] CVE Request: more dovecot ACL issues

----- "Ludwig Nussel" <ludwig.nussel@suse.de> wrote:
> dovecot 1.2.15 fixes issues with ACLs:
> http://www.dovecot.org/list/dovecot/2010-October/053450.html
> http://www.dovecot.org/list/dovecot/2010-October/053452.html
> 

If I'm understanding this correctly based off
http://www.dovecot.org/list/dovecot/2010-October/053452.html

There are two issues here:

a) If admin wanted to remove some rights from mailboxes in user's
private namespace (e.g. symlinked shared mailboxes), they may not have
gotten removed.

Use CVE-2010-3706 for this one.


b) When mixing up multiple ACL entries, such as groups/users the more
specific entry may not have replaced the previous entry (e.g.
group-override may not have worked as expected).

Use CVE-2010-3707.

Thanks.

-- 
    JB
Comment 1 Swamp Workflow Management 2010-10-05 14:00:30 UTC
The SWAMPID for this issue is 36233.
This issue was rated as low.
Please submit fixed packages until 2010-11-02.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 2 Marcus Rückert 2010-10-25 14:57:30 UTC
Requests created:  51359 51360
Comment 3 Swamp Workflow Management 2010-10-29 08:25:59 UTC
Update released for: dovecot12, dovecot12-backend-mysql, dovecot12-backend-mysql-debuginfo, dovecot12-backend-pgsql, dovecot12-backend-pgsql-debuginfo, dovecot12-backend-sqlite, dovecot12-backend-sqlite-debuginfo, dovecot12-debuginfo, dovecot12-debugsource, dovecot12-devel, dovecot12-fts-lucene, dovecot12-fts-lucene-debuginfo, dovecot12-fts-solr, dovecot12-fts-solr-debuginfo
Products:
openSUSE 11.2 (debug, i586, x86_64)
openSUSE 11.3 (debug, i586, x86_64)
Comment 4 Ludwig Nussel 2010-10-29 08:32:19 UTC
released