Common Vulnerabilities and Exposures assigned an identifier CVE-2008-4577 to the following vulnerability: The ACL plugin in Dovecot before 1.1.4 treats negative access rights as if they are positive access rights, which allows attackers to bypass intended access restrictions. Upstream patch: http://hg.dovecot.org/dovecot-1.1/rev/aac3b42f3f8a References: http://www.dovecot.org/list/dovecot-news/2008-October/000085.html http://bugs.gentoo.org/show_bug.cgi?id=240409 http://www.securityfocus.com/bid/31587 http://www.frsirt.com/english/advisories/2008/2745 http://secunia.com/advisories/32164
This issue does not affect Dovecot version as shipped with Red Hat Enterprise Linux 4, as it does not include ACL plugin at all. This issue affects Dovecot version as shipped in Red Hat Enterprise Linux 5. This flaw can possibly allow IMAP users to bypass intended access restrictions, however as the negative ACLs do not seem to be documented in the upstream documentation (http://wiki.dovecot.org/ACL), they are not very likely to be used and can easily be worked-around by being replace with positive ACLs. Therefore, this will be treated as low impact security issue.
Public report on the Dovecot mailinglist: http://dovecot.org/list/dovecot/2008-September/033475.html
dovecot-1.0.15-14.fc9 has been submitted as an update for Fedora 9. http://admin.fedoraproject.org/updates/dovecot-1.0.15-14.fc9
dovecot-1.0.15-14.fc8 has been submitted as an update for Fedora 8. http://admin.fedoraproject.org/updates/dovecot-1.0.15-14.fc8
dovecot-1.0.15-14.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
dovecot-1.0.15-14.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in following products: RHEL Desktop Workstation (v. 5 client) Red Hat Enterprise Linux (v. 5 server) Via RHSA-2009:0205 available at https://rhn.redhat.com/errata/RHSA-2009-0205.html