quoting from the bugreport: "There is security hole in auth procedure. When used authldap module and on LDAP server enabled anonymous login any user can login in any account using as password empty string." "Yes. This *only* affects AD, not openldap." bug can be found on the mailing list archive: http://www.mail-archive.com/dbmail-dev@dbmail.org/msg09942.html find the used patch here: http://git.dbmail.eu/?p=paul/dbmail;a=commitdiff;h=5a4458b9f4b1a1453e35a1c5674c2253b9d00138
arches, please test net-mail/dbmail-2.2.9 and mark stable if possible
just for completenes, the (locked down) bug that jer pointed out can be found at http://dbmail.org/mantis/view.php?id=662
CVE assigned: Name: CVE-2007-6714 DBMail before 2.2.9, when using authldap with an LDAP server that supports anonymous login such as Active Directory, allows remote attackers to bypass authentication via an empty password, which causes the LDAP bind to indicate success based on anonymous authentication.
amd64/x86 stable, last arches.
GLSA vote... I tend to use yes here since this might allow anyone to retrieve anyone else's mail via pop3/imap.
Although this could even be seen as C4, since it requires an Active Directory to be checked against, I vote yes too. request filed
GLSA 200804-24 thanks everyone
Fixed in release snapshot.