Is dovecot vulnerable to the shellshock/CVE-2014-6271 exploit?

Joseph Tam jtam.home at gmail.com
Fri Sep 26 08:46:56 UTC 2014


On Fri, 26 Sep 2014, Stephan Bosch wrote:

> I don't see much of an attack vector there either. However, there are
> some people that have wrapped /usr/sbin/sendmail in a shell script to
> achieve some sort of custom messaging behavior. Those would be vulnerable.
>
> Another possibility for trouble would be systems using the Pigeonhole
> extprograms plugin with shell scripts.

Although I don't use it, it's plausible the checkpassword hook is also vulnerable
via the MASTER_USER environment variable:

 	http://wiki2.dovecot.org/AuthDatabase/CheckPassword

Joseph Tam <jtam.home at gmail.com>


More information about the dovecot mailing list