Dovecot allows users to login as other users when the two use the same password when LDAP+auth cache is enabled under some circumstances. Fixed in 1.0.10, patch here: http://hg.dovecot.org/dovecot-1.0/raw-rev/2cedab21cd6d Wolfram, according to upstream this vulnerability was introduced in "v1.0.rc11", so our current stable is affected. Is 1.0.10 good to go stable or would you advise to patch 1.0.5?
Is this really a security issue? When an user knows another user's password is the same as his one, he can login as himself even without a security flaw -- can't he?
(In reply to comment #0) > Is 1.0.10 good to go stable or would you advise to patch 1.0.5? Well, I can only say I haven't experienced any issues with 1.0.10 so far and as quite some functional bugs have been fixed since 1.0.5, I'd rather prefer stabling 1.0.10.
(In reply to comment #1) > Is this really a security issue? When an user knows another user's password is > the same as his one, he can login as himself even without a security flaw -- > can't he? If the attack is targeted at a certain user, you are right. However, by setting a weak password for a user account, an attacker could try a brute-force all accounts (which are active, i.e. logged in within the last cache timeframe) with only one step. This could save some time when a large number of users is present on one system. Besides that, it might disclose data to users who might not even be of bad intent.
Arches, please test and mark stable net-mail/dovecot-1.0.10. Target keywords : "alpha amd64 ppc sparc x86"
x86 stable
ppc stable
alpha/sparc stable
amd64 done.
This one is ready for GLSA vote. I vote NO.
voting NO too, and closing.