[Dovecot] Solving CVE-2008-4870
Timo Sirainen
tss at iki.fi
Thu Nov 13 15:57:39 EET 2008
On Nov 13, 2008, at 1:03 PM, Michal Hlavinka wrote:
> Hi,
>
> we're trying to solve CVE-2008-4870 = rhbz#436287 = dovecot.conf is
> world readable - possible password exposure.
>
> This problem seems to be little more complicated than we thought.
>
> dovecot.conf can contain passphrase for ssl key, which is available
> for everyone since dovecot.conf has world readable permissions.
Maybe a new separate dovecot-secret.conf? When Dovecot starts up it
first reads dovecot.conf and after that dovecot-secret.conf. deliver
wouldn't read dovecot-secret.conf at all.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 194 bytes
Desc: This is a digitally signed message part
Url : http://dovecot.org/pipermail/dovecot/attachments/20081113/8c309dae/attachment-0001.bin
More information about the dovecot
mailing list