"Dovecot before 1.0.10, with certain configuration options including use of
%variables, does not properly maintain the LDAP+auth cache, which might allow
remote authenticated users to login as a different user who has the same password."
Updates were pushed to F7 and F8. We're not fixing this in EL5, I think.
I'm assigning this a severity of low. This requires a very non default setup,
and even then it's only really an issue if two users have the same password and
log in within an hour of each other.
This is likely worth fixing with the next dovecot update, but the risk and time
required to fix only this issue negates the possible benefit fixing it right now.
This seems to be a relevant upstream commit:
This issue does not affect dovecot packages as shipped in Red Hat Enterprise
Linux 4, as they do not offer auth cache functionality.
This issue was addressed in:
Red Hat Enterprise Linux:
updated to fixed upstream version