Rapid7 Vulnerability & Exploit Database

RHSA-2008:0297: dovecot security and bug fix update

Back to Search

RHSA-2008:0297: dovecot security and bug fix update



Dovecot is an IMAP server for Linux and UNIX-like systems, primarilywritten with security in mind.A flaw was discovered in the way Dovecot handled the "mail_extra_groups"option. An authenticated attacker with local shell access could leveragethis flaw to read, modify, or delete other users mail that is stored onthe mail server. (CVE-2008-1199)This issue did not affect the default Red Hat Enterprise Linux 5 Dovecotconfiguration. This update adds two new configuration options --"mail_privileged_group" and "mail_access_groups" -- to minimize the usageof additional privileges.A directory traversal flaw was discovered in Dovecot's zlib plug-in. Anauthenticated user could use this flaw to view other compressed mailboxeswith the permissions of the Dovecot process. (CVE-2007-2231)A flaw was found in the Dovecot ACL plug-in. User with only insertpermissions for a mailbox could use the "COPY" and "APPEND" commands to setadditional message flags. (CVE-2007-4211)A flaw was found in a way Dovecot cached LDAP query results in certainconfigurations. This could possibly allow authenticated users to log in asa different user who has the same password. (CVE-2007-6598)As well, this updated package fixes the following bugs:pop3-login: pop3-login: error while loading shared libraries:libsepol.so.1: failed to map segment from shared object: Cannot allocatememoryIn this updated package, the "login_process_size" limit is correctlyconfigured on 64-bit systems, which resolves this issue.Note: this updated package upgrades dovecot to version 1.0.7. Forfurther details, refer to the Dovecot changelog:http://koji.fedoraproject.org/koji/buildinfo?buildID=23397Users of dovecot are advised to upgrade to this updated package, whichresolves these issues.


  • redhat-upgrade-dovecot

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center