Common Vulnerabilities and Exposures assigned an identifier CVE-2011-2166 to the following vulnerability: Name: CVE-2011-2166 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2166 Assigned: 20110524 Reference: http://dovecot.org/pipermail/dovecot/2011-May/059085.html Reference: http://openwall.com/lists/oss-security/2011/05/18/4 Reference: http://www.dovecot.org/doc/NEWS-2.0 script-login in Dovecot 2.0.x before 2.0.13 does not follow the user and group configuration settings, which might allow remote authenticated users to bypass intended access restrictions by leveraging a script.
Created dovecot tracking bugs for this issue Affects: fedora-all [bug 709108]
Upstream patch: http://hg.dovecot.org/dovecot-2.0/rev/25a452227a09
Upstream has confirmed that this particular fix, will break current configurations for the dovecot server, which will only be fixed in 2.0.14 Reference: http://www.mail-archive.com/dovecot@dovecot.org/msg38350.html
Dovecot 2.0.14 is released: http://dovecot.org/list/dovecot-news/2011-August/000193.html The following in the Changelog suggests that comment #4 has been addressed: script-login attempted an unnecessary config lookup, which usually failed with "Permission denied"
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2013:0520 https://rhn.redhat.com/errata/RHSA-2013-0520.html
Statement: (none)