Summary: | net-mail/dbmail <2.2.9 data disclosure (CVE-2007-6714) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Matthias Geerdsen (RETIRED) <vorlon> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | jer, lordvan, net-mail+disabled, svrmarty |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.mail-archive.com/dbmail-dev@dbmail.org/msg09942.html | ||
Whiteboard: | B4 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Matthias Geerdsen (RETIRED)
2008-04-17 19:18:09 UTC
arches, please test net-mail/dbmail-2.2.9 and mark stable if possible just for completenes, the (locked down) bug that jer pointed out can be found at http://dbmail.org/mantis/view.php?id=662 CVE assigned: Name: CVE-2007-6714 DBMail before 2.2.9, when using authldap with an LDAP server that supports anonymous login such as Active Directory, allows remote attackers to bypass authentication via an empty password, which causes the LDAP bind to indicate success based on anonymous authentication. amd64/x86 stable, last arches. GLSA vote... I tend to use yes here since this might allow anyone to retrieve anyone else's mail via pop3/imap. Although this could even be seen as C4, since it requires an Active Directory to be checked against, I vote yes too. request filed GLSA 200804-24 thanks everyone Fixed in release snapshot. |