[Dovecot] Security hole #4: Specific LDAP + auth cache configuration may mix up user logins

Timo Sirainen tss at iki.fi
Fri Dec 21 15:24:31 EET 2007


On Fri, 2007-12-21 at 02:44 -0800, Geert Hendrickx wrote:
> On Fri, Dec 21, 2007 at 12:38:12AM +0200, Timo Sirainen wrote:
> > Somehow I doubt there are any Dovecot setups left that unknowingly have
> > this problem, but it still counts as a security hole. The possibility to
> > cause this problem exists in Dovecot v1.0.rc11 and later.
> > 
> > [...]
> > 
> > You can fix this by upgrading to v1.0.10 (to be released soon), or using
> > this patch: http://hg.dovecot.org/dovecot-1.0/raw-rev/2cedab21cd6d
> 
> 
> 
> Is Dovecot 1.1.x affected as well?

Yes. http://hg.dovecot.org/dovecot/raw-rev/9e75e67420b4

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://dovecot.org/pipermail/dovecot/attachments/20071221/abe0afc1/attachment.bin 


More information about the dovecot mailing list