Rapid7 Vulnerability & Exploit Database

RHSA-2009:0205: dovecot security and bug fix update

Back to Search

RHSA-2009:0205: dovecot security and bug fix update



Dovecot is an IMAP server for Linux and UNIX-like systems, primarilywritten with security in mind.A flaw was found in Dovecot's ACL plug-in. The ACL plug-in treated negativeaccess rights as positive rights, which could allow an attacker to bypassintended access restrictions. (CVE-2008-4577)A password disclosure flaw was found with Dovecot's configuration file. Ifa system had the "ssl_key_password" option defined, any local user couldview the SSL key password. (CVE-2008-4870)Note: This flaw did not allow the attacker to acquire the contents of theSSL key. The password has no value without the key file which arbitraryusers should not have read access to.To better protect even this value, however, the dovecot.conf file nowsupports the "!include_try" directive. The ssl_key_password option shouldbe moved from dovecot.conf to a new file owned by, and only readable andwritable by, root (ie 0600). This file should be referenced fromdovecot.conf by setting the "!include_try [/path/to/password/file]" option.Additionally, this update addresses the following bugs:Note: dovecot versions previously shipped with Red Hat Enterprise Linux 5did not allow this behavior. This update addresses the issue above but saidissue was only present in versions of dovecot not previously included withRed Hat Enterprise Linux 5.Users of dovecot are advised to upgrade to this updated package, whichaddresses these vulnerabilities and resolves these issues.


  • redhat-upgrade-dovecot

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center