Upstream has released new version 1.2.8 which is flagged as a security release fixing a vulnerability for all 1.2 releases which allows local users logging in as other users... Bump should be trivial. Reproducible: Always
CVE-2009-3897 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3897): Dovecot 1.2.x before 1.2.8 sets 0777 permissions during creation of certain directories at installation time, which allows local users to access arbitrary user accounts by replacing the auth socket, related to the parent directories of the base_dir directory, and possibly the base_dir directory itself.
Created attachment 211822 [details] dovecot.patch Here is a patch which should be applied when you do the version bump that does a couple of things. It will fix mkcert.sh so that it installs the ssl certificate and key where they need to be installed, and it fixes the ebuild to install the documentation.
All, I have committed dovecot-1.2.8 to the tree. There still needs to be some keywording done before we can take it to stable; I am updating the dependencies to reflect that.
We should get this security issue fixed in stable. net-mail/security: time to add arches?
Please wait, we need v1.2.11.
bug 314533 handles the stabilization of a newer version. bug will be ready for glsa once that is done.
(In reply to comment #6) > bug 314533 handles the stabilization of a newer version. bug will be ready for > glsa once that is done. > Stabilization complete; adding to exiting GLSA request.
This issue was resolved and addressed in GLSA 201110-04 at http://security.gentoo.org/glsa/glsa-201110-04.xml by GLSA coordinator Stefan Behte (craig).