Bug 427575 (CVE-2007-6598) - CVE-2007-6598 dovecot LDAP+auth cache user login mixup
Summary: CVE-2007-6598 dovecot LDAP+auth cache user login mixup
Status: CLOSED ERRATA
Alias: CVE-2007-6598
Product: Security Response
Classification: Other
Component: vulnerability   
(Show other bugs)
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: source=vendorsec,reported=20071229,pu...
Keywords: Security
Depends On: 437152
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-01-04 20:43 UTC by Ville Skyttä
Modified: 2008-05-29 07:47 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-05-29 07:47:28 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2008:0297 normal SHIPPED_LIVE Low: dovecot security and bug fix update 2008-05-21 14:20:08 UTC

Description Ville Skyttä 2008-01-04 20:43:47 UTC
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6598
http://dovecot.org/list/dovecot-news/2007-December/000058.html

"Dovecot before 1.0.10, with certain configuration options including use of
%variables, does not properly maintain the LDAP+auth cache, which might allow
remote authenticated users to login as a different user who has the same password."

Comment 1 Tomas Janousek 2008-01-07 11:26:07 UTC
Updates were pushed to F7 and F8. We're not fixing this in EL5, I think.

Comment 2 Josh Bressers 2008-01-07 20:27:26 UTC
I'm assigning this a severity of low.  This requires a very non default setup,
and even then it's only really an issue if two users have the same password and
log in within an hour of each other.

This is likely worth fixing with the next dovecot update, but the risk and time
required to fix only this issue negates the possible benefit fixing it right now.

Comment 3 Tomas Hoger 2008-03-12 10:41:41 UTC
This seems to be a relevant upstream commit:

http://hg.dovecot.org/dovecot-1.0/rev/2cedab21cd6d

This issue does not affect dovecot packages as shipped in Red Hat Enterprise
Linux 4, as they do not offer auth cache functionality.

Comment 5 Red Hat Product Security 2008-05-29 07:47:28 UTC
This issue was addressed in:

Red Hat Enterprise Linux:
  http://rhn.redhat.com/errata/RHSA-2008-0297.html

Fedora:
  updated to fixed upstream version




Note You need to log in before you can comment on or make changes to this bug.