[Dovecot] Solving CVE-2008-4870

Timo Sirainen tss at iki.fi
Wed Nov 19 19:44:59 EET 2008


On Thu, 2008-11-13 at 15:57 +0200, Timo Sirainen wrote:
> On Nov 13, 2008, at 1:03 PM, Michal Hlavinka wrote:
> 
> > Hi,
> >
> > we're trying to solve CVE-2008-4870 = rhbz#436287 = dovecot.conf is  
> > world readable - possible password exposure.
> >
> > This problem seems to be little more complicated than we thought.
> >
> > dovecot.conf can contain passphrase for ssl key, which is available  
> > for everyone since dovecot.conf has world readable permissions.
> 
> Maybe a new separate dovecot-secret.conf? When Dovecot starts up it  
> first reads dovecot.conf and after that dovecot-secret.conf. deliver  
> wouldn't read dovecot-secret.conf at all.

Added !include and !include_try:
http://hg.dovecot.org/dovecot-1.1/rev/5f471f5b06d2
http://hg.dovecot.org/dovecot-1.1/rev/313d1195318f

deliver will currently just skip !include_try lines and gives an error
if !include is tried to be used. So for now it's not a good idea to
start using !include in default settings. :)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
Url : http://dovecot.org/pipermail/dovecot/attachments/20081119/0a0c1153/attachment.bin 


More information about the dovecot mailing list