Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 218154 - net-mail/dbmail <2.2.9 data disclosure (CVE-2007-6714)
Summary: net-mail/dbmail <2.2.9 data disclosure (CVE-2007-6714)
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
Whiteboard: B4 [glsa]
Depends on:
Reported: 2008-04-17 19:18 UTC by Matthias Geerdsen (RETIRED)
Modified: 2008-04-21 08:19 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Matthias Geerdsen (RETIRED) gentoo-dev 2008-04-17 19:18:09 UTC
quoting from the bugreport:
"There is security hole in auth procedure. When used authldap module and on
LDAP server enabled anonymous login any user can login in any account
using as password empty string."
"Yes. This *only* affects AD, not openldap."

bug can be found on the mailing list archive:

find the used patch here:;a=commitdiff;h=5a4458b9f4b1a1453e35a1c5674c2253b9d00138
Comment 1 Matthias Geerdsen (RETIRED) gentoo-dev 2008-04-17 19:20:28 UTC
arches, please test net-mail/dbmail-2.2.9 and mark stable if possible
Comment 2 Matthias Geerdsen (RETIRED) gentoo-dev 2008-04-17 19:28:19 UTC
just for completenes, the (locked down) bug that jer pointed out can be found at
Comment 3 Matthias Geerdsen (RETIRED) gentoo-dev 2008-04-17 21:33:52 UTC
CVE assigned:

Name: CVE-2007-6714

DBMail before 2.2.9, when using authldap with an LDAP server that
supports anonymous login such as Active Directory, allows remote
attackers to bypass authentication via an empty password, which causes
the LDAP bind to indicate success based on anonymous authentication.
Comment 4 Markus Meier gentoo-dev 2008-04-17 21:52:00 UTC
amd64/x86 stable, last arches.
Comment 5 Robert Buchholz (RETIRED) gentoo-dev 2008-04-17 23:56:50 UTC
GLSA vote... I tend to use yes here since this might allow anyone to retrieve anyone else's mail via pop3/imap.
Comment 6 Matthias Geerdsen (RETIRED) gentoo-dev 2008-04-18 08:54:12 UTC
Although this could even be seen as C4, since it requires an Active Directory to be checked against, I vote yes too.

request filed
Comment 7 Matthias Geerdsen (RETIRED) gentoo-dev 2008-04-19 00:18:47 UTC
GLSA 200804-24

thanks everyone
Comment 8 Peter Volkov (RETIRED) gentoo-dev 2008-04-21 08:19:26 UTC
Fixed in release snapshot.