Dovecot is an IMAP server for Linux and UNIX-like systems, primarilywritten with security in mind.A flaw was discovered in the way Dovecot handled the "mail_extra_groups"option. An authenticated attacker with local shell access could leveragethis flaw to read, modify, or delete other users mail that is stored onthe mail server. (CVE-2008-1199)This issue did not affect the default Red Hat Enterprise Linux 5 Dovecotconfiguration. This update adds two new configuration options --"mail_privileged_group" and "mail_access_groups" -- to minimize the usageof additional privileges.A directory traversal flaw was discovered in Dovecot's zlib plug-in. Anauthenticated user could use this flaw to view other compressed mailboxeswith the permissions of the Dovecot process. (CVE-2007-2231)A flaw was found in the Dovecot ACL plug-in. User with only insertpermissions for a mailbox could use the "COPY" and "APPEND" commands to setadditional message flags. (CVE-2007-4211)A flaw was found in a way Dovecot cached LDAP query results in certainconfigurations. This could possibly allow authenticated users to log in asa different user who has the same password. (CVE-2007-6598)As well, this updated package fixes the following bugs:pop3-login: pop3-login: error while loading shared libraries:libsepol.so.1: failed to map segment from shared object: Cannot allocatememoryIn this updated package, the "login_process_size" limit is correctlyconfigured on 64-bit systems, which resolves this issue.Note: this updated package upgrades dovecot to version 1.0.7. Forfurther details, refer to the Dovecot changelog:http://koji.fedoraproject.org/koji/buildinfo?buildID=23397Users of dovecot are advised to upgrade to this updated package, whichresolves these issues.