mail_extra_groups=mail is enabled by USE=mbox, but can also be enabled by users. It might, however, lead to disclosure of local files with gid=mail. Dovecot 1.0.11 and 1.1.rc2 fix this by introducing a new setting mail_privileged_group. Details at $URL, please also note the last mails about a "permission denied" error and the patch.
CC'ing wschlich. Please add yourself to metadata.xml
1.0.11 and 1.1.rc2 are both in portage. but as 1.0.13 and 1.1.rc3 have been released meanwhile and fix quite some bugs, we should wait until those have made it into portage. currently I'm waiting for the updates of the managesieve patch (shouldn't take longer than 1 or 2 days I guess).
1.0.13 and 1.1_rc3 are now in portage. feel free to test and mark stable.
Thanks. Arches, please test and mark stable: =net-mail/dovecot-1.0.13 Target keywords : "alpha amd64 ppc release sparc x86"
It might be worth trying to stable 1.0.13-r1 instead of 1.0.13... I added a patch from the upstream mercurial repo that fixes a crash.
x86 stable
alpha/sparc stable
amd64 stable
ppc stable
Fixed in release snapshot.
Wolfram, I just realized the ebuild magic that auto-enabled mail_extra_groups was not adapted to handle the new mail_privileged_group setting. Was that intentional? If not, and it might be disruptive for users with USE=mbox, we should re-stable a fixed version.
(In reply to comment #11) > Wolfram, I just realized the ebuild magic that auto-enabled mail_extra_groups > was not adapted to handle the new mail_privileged_group setting. > Was that intentional? If not, and it might be disruptive for users with > USE=mbox, we should re-stable a fixed version. Sorry, I already fixed the stabled versions... 15 Mar 2008; Wolfram Schlich <wschlich@gentoo.org> dovecot-1.0.13-r1.ebuild, dovecot-1.1_rc3-r1.ebuild: fix mail group setting (thanks to rbu)
GLSA 200803-25
