Is dovecot vulnerable to the shellshock/CVE-2014-6271 exploit?
Joseph Tam
jtam.home at gmail.com
Fri Sep 26 08:46:56 UTC 2014
On Fri, 26 Sep 2014, Stephan Bosch wrote:
> I don't see much of an attack vector there either. However, there are
> some people that have wrapped /usr/sbin/sendmail in a shell script to
> achieve some sort of custom messaging behavior. Those would be vulnerable.
>
> Another possibility for trouble would be systems using the Pigeonhole
> extprograms plugin with shell scripts.
Although I don't use it, it's plausible the checkpassword hook is also vulnerable
via the MASTER_USER environment variable:
http://wiki2.dovecot.org/AuthDatabase/CheckPassword
Joseph Tam <jtam.home at gmail.com>
More information about the dovecot
mailing list