A security flaw was found in the way Dovecot mail server updated own Access Control List (ACL) cache, when multiple rules were used for definition of rights for one particular subject (more common rule was applied instead of restricted rights set). Due this deficiency intended ACL rights for certain users were not applied correctly, allowing the users to perform certain tasks despite of the form of a ACL rights configuration file. References: [1] http://www.dovecot.org/list/dovecot/2010-October/053450.html [2] http://www.dovecot.org/list/dovecot/2010-October/053452.html [3] http://wiki.dovecot.org/ACL
Upstream changeset: [4] http://hg.dovecot.org/dovecot-1.2/rev/fd607e10e75d
This issue did NOT affect the version of the dovecot package, as shipped with Red Hat Enterprise Linux 4 and 5. This issue affects the version of the dovecot package, as shipped with Red Hat Enterprise Linux 6.
Statement: This issue did not affect the version of dovecot package, as shipped with Red Hat Enterprise Linux 4 and 5. This issue affects the version of dovecot package as shipped with Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw.
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2011:0600 https://rhn.redhat.com/errata/RHSA-2011-0600.html