A security flaw was found in the way Dovecot IMAP server updated own Access Control List (ACL) cache for rules specifying user rights on mailboxes stored in the private namespace of the particular user. A local attacker could use this flaw to prevent the mailbox administrator to restrict the ACL rule via a symlink attack on the shared mailbox. References: [1] http://www.dovecot.org/list/dovecot/2010-October/053450.html [2] http://www.dovecot.org/list/dovecot/2010-October/053452.html [3] http://wiki.dovecot.org/ACL
Statement: Not vulnerable. This issue did not affect the versions of dovecot as shipped with Red Hat Enterprise Linux 4, 5 or 6.