746270 – (CVE-2010-3304) CVE-2010-3304 dovecot: INBOX ACLs to newly created mailboxes propagation, possibly leading to weak ACLs

Bug 746270 (CVE-2010-3304) - CVE-2010-3304 dovecot: INBOX ACLs to newly created mailboxes propagation, possibly leading to weak ACLs

Summary: CVE-2010-3304 dovecot: INBOX ACLs to newly created mailboxes propagation, pos...

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2010-3304
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	746273
TreeView+	depends on / blocked

Reported:	2011-10-14 15:14 UTC by Jan Lieskovsky
Modified:	2021-02-24 14:29 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2011-10-20 07:33:35 UTC
Embargoed:

Attachments	(Terms of Use)

Description Jan Lieskovsky 2011-10-14 15:14:58 UTC

Common Vulnerabilities and Exposures assigned an identifier CVE-2010-3304 to the following vulnerability:

The ACL plugin in Dovecot 1.2.x before 1.2.13 propagates INBOX ACLs to newly created mailboxes in certain configurations, which might allow remote attackers to read mailboxes that have unintended weak ACLs. 

References:
[1]  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3304
[2]  http://www.dovecot.org/list/dovecot-news/2010-July/000163.html
[3]  http://www.openwall.com/lists/oss-security/2010/09/16/14
[4]  http://www.openwall.com/lists/oss-security/2010/09/16/17
[5]  http://www.mandriva.com/security/advisories?name=MDVSA-2010:217
[6]  http://lists.opensuse.org/opensuse-security-announce/2010-09/msg00006.html
[7]  http://www.ubuntu.com/usn/USN-1059-1
[8]  http://www.securityfocus.com/bid/41964
[9]  http://secunia.com/advisories/43220
[10] http://www.vupen.com/english/advisories/2010/2840
[11] http://www.vupen.com/english/advisories/2011/0301
[12] http://www.gentoo.org/security/en/glsa/glsa-201110-04.xml
[13] http://packetstormsecurity.org/files/view/105775/sa46363.txt

Comment 1 Huzaifa S. Sidhpurwala 2011-10-20 07:32:52 UTC

Statement:

This issue does not affect the version of dovecot package, as shipped with Red Hat Enterprise Linux 4, 5 and 6.

Comment 2 Huzaifa S. Sidhpurwala 2011-10-20 07:33:35 UTC

This issue does not affect the version of dovecot as shipped with Fedora 14 and 15.

Note You need to log in before you can comment on or make changes to this bug.