CVE-2009-3897 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3897): Dovecot 1.2.x before 1.2.8 sets 0777 permissions during creation of certain directories at installation time, which allows local users to access arbitrary user accounts by replacing the auth socket, related to the parent directories of the base_dir directory, and possibly the base_dir directory itself. net-mail/dovecot-1.2.8 in the tree since 02 Dec 2009. No significant bugs. Arches, please test and mark stable: =net-mail/dovecot-1.2.8 Target keywords : "alpha amd64 ppc sparc x86" Reproducible: Always
Shouldn't we better stabilize a newer version, e.g. 1.2.11-r1? net-mail: do as you wish.
* dovecot-1.2.{8,9,10,11} does not have any security vulnerabilities. As long as we are at >=dovecot-1.2.8 we are good security-wise. * dovecot-1.2.11-r1 was committed to the tree 2 days ago. I'd prefer to wait a bit before asking for stabilization (30 days?). * >dovecot-1.2.8 is missing the ~ppc keyword. bug #313787. Please stabilize =net-mail/dovecot-1.2.8. Thank you.
Thanks for working on dovecot, Eray. I rely on this application. Since we don't need two stablereqs open, I will mark this as a dupe of bug 314533 An open invite to email me if you need something done urgently and patrick is not around. *** This bug has been marked as a duplicate of bug 314533 ***