Bug 427575 - (CVE-2007-6598) CVE-2007-6598 dovecot LDAP+auth cache user login mixup
CVE-2007-6598 dovecot LDAP+auth cache user login mixup
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
source=vendorsec,reported=20071229,pu...
: Security
Depends On: 437152
Blocks:
  Show dependency treegraph
 
Reported: 2008-01-04 15:43 EST by Ville Skyttä
Modified: 2008-05-29 03:47 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-05-29 03:47:28 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Ville Skyttä 2008-01-04 15:43:47 EST
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6598
http://dovecot.org/list/dovecot-news/2007-December/000058.html

"Dovecot before 1.0.10, with certain configuration options including use of
%variables, does not properly maintain the LDAP+auth cache, which might allow
remote authenticated users to login as a different user who has the same password."
Comment 1 Tomas Janousek 2008-01-07 06:26:07 EST
Updates were pushed to F7 and F8. We're not fixing this in EL5, I think.
Comment 2 Josh Bressers 2008-01-07 15:27:26 EST
I'm assigning this a severity of low.  This requires a very non default setup,
and even then it's only really an issue if two users have the same password and
log in within an hour of each other.

This is likely worth fixing with the next dovecot update, but the risk and time
required to fix only this issue negates the possible benefit fixing it right now.
Comment 3 Tomas Hoger 2008-03-12 06:41:41 EDT
This seems to be a relevant upstream commit:

http://hg.dovecot.org/dovecot-1.0/rev/2cedab21cd6d

This issue does not affect dovecot packages as shipped in Red Hat Enterprise
Linux 4, as they do not offer auth cache functionality.
Comment 5 Red Hat Product Security 2008-05-29 03:47:28 EDT
This issue was addressed in:

Red Hat Enterprise Linux:
  http://rhn.redhat.com/errata/RHSA-2008-0297.html

Fedora:
  updated to fixed upstream version


Note You need to log in before you can comment on or make changes to this bug.