Summary: | net-mail/dovecot < 1.0.10 LDAP/auth cache may mix up user logins (CVE-2007-6598) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Robert Buchholz (RETIRED) <rbu> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | lkundrak, net-mail+disabled |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://dovecot.org/list/dovecot/2007-December/027569.html | ||
Whiteboard: | B4 [noglsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | |||
Bug Blocks: | 201686 |
Description
Robert Buchholz (RETIRED)
2007-12-30 00:37:30 UTC
Is this really a security issue? When an user knows another user's password is the same as his one, he can login as himself even without a security flaw -- can't he? (In reply to comment #0) > Is 1.0.10 good to go stable or would you advise to patch 1.0.5? Well, I can only say I haven't experienced any issues with 1.0.10 so far and as quite some functional bugs have been fixed since 1.0.5, I'd rather prefer stabling 1.0.10. (In reply to comment #1) > Is this really a security issue? When an user knows another user's password is > the same as his one, he can login as himself even without a security flaw -- > can't he? If the attack is targeted at a certain user, you are right. However, by setting a weak password for a user account, an attacker could try a brute-force all accounts (which are active, i.e. logged in within the last cache timeframe) with only one step. This could save some time when a large number of users is present on one system. Besides that, it might disclose data to users who might not even be of bad intent. Arches, please test and mark stable net-mail/dovecot-1.0.10. Target keywords : "alpha amd64 ppc sparc x86" x86 stable ppc stable alpha/sparc stable amd64 done. This one is ready for GLSA vote. I vote NO. voting NO too, and closing. |