Bug 427575 (CVE-2007-6598)
| Summary: | CVE-2007-6598 dovecot LDAP+auth cache user login mixup | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Ville Skyttä <ville.skytta> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | unspecified | CC: | kreilly |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2008-05-29 07:47:28 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 437152 | ||
| Bug Blocks: | |||
|
Description
Ville Skyttä
2008-01-04 20:43:47 UTC
Updates were pushed to F7 and F8. We're not fixing this in EL5, I think. I'm assigning this a severity of low. This requires a very non default setup, and even then it's only really an issue if two users have the same password and log in within an hour of each other. This is likely worth fixing with the next dovecot update, but the risk and time required to fix only this issue negates the possible benefit fixing it right now. This seems to be a relevant upstream commit: http://hg.dovecot.org/dovecot-1.0/rev/2cedab21cd6d This issue does not affect dovecot packages as shipped in Red Hat Enterprise Linux 4, as they do not offer auth cache functionality. This issue was addressed in: Red Hat Enterprise Linux: http://rhn.redhat.com/errata/RHSA-2008-0297.html Fedora: updated to fixed upstream version |