http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6598 http://dovecot.org/list/dovecot-news/2007-December/000058.html "Dovecot before 1.0.10, with certain configuration options including use of %variables, does not properly maintain the LDAP+auth cache, which might allow remote authenticated users to login as a different user who has the same password."
Updates were pushed to F7 and F8. We're not fixing this in EL5, I think.
I'm assigning this a severity of low. This requires a very non default setup, and even then it's only really an issue if two users have the same password and log in within an hour of each other. This is likely worth fixing with the next dovecot update, but the risk and time required to fix only this issue negates the possible benefit fixing it right now.
This seems to be a relevant upstream commit: http://hg.dovecot.org/dovecot-1.0/rev/2cedab21cd6d This issue does not affect dovecot packages as shipped in Red Hat Enterprise Linux 4, as they do not offer auth cache functionality.
This issue was addressed in: Red Hat Enterprise Linux: http://rhn.redhat.com/errata/RHSA-2008-0297.html Fedora: updated to fixed upstream version