Common Vulnerabilities and Exposures assigned an identifier CVE-2008-4577 to the following vulnerability:
The ACL plugin in Dovecot before 1.1.4 treats negative access rights
as if they are positive access rights, which allows attackers to
bypass intended access restrictions.
This issue does not affect Dovecot version as shipped with Red Hat Enterprise Linux 4, as it does not include ACL plugin at all.
This issue affects Dovecot version as shipped in Red Hat Enterprise Linux 5. This flaw can possibly allow IMAP users to bypass intended access restrictions, however as the negative ACLs do not seem to be documented in the upstream documentation (http://wiki.dovecot.org/ACL), they are not very likely to be used and can easily be worked-around by being replace with positive ACLs. Therefore, this will be treated as low impact security issue.
Public report on the Dovecot mailinglist:
dovecot-1.0.15-14.fc9 has been submitted as an update for Fedora 9.
dovecot-1.0.15-14.fc8 has been submitted as an update for Fedora 8.
dovecot-1.0.15-14.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
dovecot-1.0.15-14.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in following products:
RHEL Desktop Workstation (v. 5 client)
Red Hat Enterprise Linux (v. 5 server)
Via RHSA-2009:0205 available at https://rhn.redhat.com/errata/RHSA-2009-0205.html