CVE-identifier for dovecot Maildir ACL issue (CVE-2010-3304)

To: debian-security-tracker@lists.debian.org
Subject: CVE-identifier for dovecot Maildir ACL issue (CVE-2010-3304)
From: Henri Salo <henri@nerv.fi>
Date: Sat, 18 Sep 2010 23:49:51 +0300
Message-id: <[🔎] 20100918234951.608fcd0d@foo.fgeek.fi>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Description: dovecot Maildir ACL issue
Temporary name: TEMP-0000000-001461
CVE-identifier for this issue is: CVE-2010-3304

Dovecot's description: "This release fixes a bug in ACL plugin, which
could be considered a security bug: If Maildir is used with default
settings (INBOX is same as Maildir root dir) and user set some ACLs to
INBOX, those ACLs were copied to all newly created mailboxes. This
should have been done only for "default ACLs", but with Maildir the
INBOX directory is the same as the default ACL directory, so this mixup
happened. This bug exists only in v1.2.x releases."

Can you update security-tracker, thanks.

References:

http://www.dovecot.org/list/dovecot-news/2010-July/000163.html
http://www.openwall.com/lists/oss-security/2010/09/16/17

Best regards,
Henri Salo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkyVJe8ACgkQXf6hBi6kbk9YDQCeJkUe71WLAc/huLRq1mAT8Ujw
AKIAnR5/uVQObaodx1HEV74D942u2+yb
=zXfq
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: Re: questioning lenny's vulnerability to CVE-2010-3301
Next by Date: Re: questioning lenny's vulnerability to CVE-2010-3301
Previous by thread: Re: questioning lenny's vulnerability to CVE-2010-3301
Next by thread: Bug#597752: mahara: embedded code copies
Index(es):
- Date
- Thread