[vuxml] document vulnerability in dovecot-managesieve
Eygene Ryabinkin
rea-fbsd at codelabs.ru
Sun Nov 30 08:36:30 PST 2008
>Submitter-Id: current-users
>Originator: Eygene Ryabinkin
>Organization: Code Labs
>Confidential: no
>Synopsis: [vuxml] document vulnerability in dovecot-managesieve
>Severity: serious
>Priority: medium
>Category: ports
>Class: sw-bug
>Release: FreeBSD 7.0-STABLE amd64
>Environment:
System: FreeBSD 7.0-STABLE amd64
>Description:
There is a bug in the dovecot-managesieve that allows virtual users
to get read/write access to the other's sieve files in some curcumstances:
http://www.dovecot.org/list/dovecot/2008-November/035259.html
>How-To-Repeat:
Look at http://www.dovecot.org/list/dovecot/2008-November/035259.html
PR ports/129028 mentions the security vulnerability (that was eliminated
by that PR), but does not add a new VuXML entry.
>Fix:
The following VuXML entry should be evaluated and added:
--- vuln.xml begins here ---
<vuln vid="unknown">
<topic>dovecot-managesieve -- unallowed read/write access to the sieve scripts by virtual users</topic>
<affects>
<package>
<name>dovecot-managesieve</name>
<range><lt>0.10.4</lt></range>
<range><ge>0.11.0</ge><lt>0.11.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Stephan Bosch, maintainer of dovecot-managesieve, reports:</p>
<blockquote cite="http://www.dovecot.org/list/dovecot/2008-November/035259.html">
<p>…clever virtual users that know the directory
structure of the server can read and edit script files of
other virtual users with the same system uid.</p>
</blockquote>
</body>
</description>
<references>
<mlist>http://www.dovecot.org/list/dovecot/2008-November/035259.html</mlist>
<url>http://secunia.com/Advisories/32768/</url>
</references>
<dates>
<discovery>2008-11-17</discovery>
<entry>TODAY</entry>
</dates>
</vuln>
--- vuln.xml ends here ---
I had marked port versions '>=0.11.0<0.11.1' to be affected too, because
these upstream versions are affected. There are no such port versions
in the official FreeBSD ports tree.
More information about the freebsd-vuxml
mailing list