640410 – (CVE-2010-3707) CVE-2010-3707 Dovecot: Failed to properly update ACL cache, when multiple rules defined rights for one subject

Bug 640410 (CVE-2010-3707) - CVE-2010-3707 Dovecot: Failed to properly update ACL cache, when multiple rules defined rights for one subject

Summary: CVE-2010-3707 Dovecot: Failed to properly update ACL cache, when multiple rul...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2010-3707
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	654226
Blocks:
TreeView+	depends on / blocked

Reported:	2010-10-05 19:01 UTC by Jan Lieskovsky
Modified:	2021-11-04 16:15 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2011-05-19 14:04:47 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2011:0600	0	normal	SHIPPED_LIVE	Moderate: dovecot security and enhancement update	2011-05-19 11:47:01 UTC

Description Jan Lieskovsky 2010-10-05 19:01:45 UTC

A security flaw was found in the way Dovecot mail server updated
own Access Control List (ACL) cache, when multiple rules were
used for definition of rights for one particular subject (more
common rule was applied instead of restricted rights set). Due
this deficiency intended ACL rights for certain users were not
applied correctly, allowing the users to perform certain tasks
despite of the form of a ACL rights configuration file.

References:
[1] http://www.dovecot.org/list/dovecot/2010-October/053450.html
[2] http://www.dovecot.org/list/dovecot/2010-October/053452.html
[3] http://wiki.dovecot.org/ACL

Comment 1 Jan Lieskovsky 2010-10-05 19:04:36 UTC

Upstream changeset:
[4] http://hg.dovecot.org/dovecot-1.2/rev/fd607e10e75d

Comment 2 Jan Lieskovsky 2010-10-05 19:07:52 UTC

This issue did NOT affect the version of the dovecot package, as shipped
with Red Hat Enterprise Linux 4 and 5.

This issue affects the version of the dovecot package, as shipped
with Red Hat Enterprise Linux 6.

Comment 5 Huzaifa S. Sidhpurwala 2010-11-17 09:27:06 UTC

Statement:

This issue did not affect the version of dovecot package, as shipped with Red
Hat Enterprise Linux 4 and 5. This issue affects the version of dovecot
package as shipped with Red Hat Enterprise Linux 6. The Red Hat Security
Response Team has rated this issue as having low security impact, a future
update may address this flaw.

Comment 7 errata-xmlrpc 2011-05-19 11:47:10 UTC

This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:0600 https://rhn.redhat.com/errata/RHSA-2011-0600.html

Note You need to log in before you can comment on or make changes to this bug.