Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Bugtraq>
  3. Bugtraq
rPSA-2008-0001-1 dovecot
announce-noreply at rpath
Jan 3, 2008, 10:33 AM
Post #1 of 5 (2216 views)
Permalink
rPath Security Advisory: 2008-0001-1
Published: 2008-01-03
Products:
rPath Linux 1

Rating: Minor
Exposure Level Classification:
Remote User Non-deterministic Weakness
Updated Versions:
dovecot=conary.rpath.com@rpl:1/1.0.10-0.1-1

rPath Issue Tracking System:
https://issues.rpath.com/browse/RPL-2076

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6598

Description:
Previous versions of the dovecot package contain multiple
vulnerabilities, the most serious of which might confuse
LDAP-authenticated logins between different users with the
same password. Other vulnerabilities include Denials of
Service which appear to be limited to the connecting user.

http://wiki.rpath.com/Advisories:rPSA-2008-0001

Copyright 2008 rPath, Inc.
This file is distributed under the terms of the MIT License.
A copy is available at http://www.rpath.com/permanent/mit-license.html
Re: rPSA-2008-0001-1 dovecot [ In reply to ]
dom at earth
Jan 3, 2008, 12:23 PM
Post #2 of 5 (2180 views)
Permalink
On Thu, Jan 03, 2008 at 01:33:39PM -0500, rPath Update Announcements wrote:

> rPath Issue Tracking System:
> https://issues.rpath.com/browse/RPL-2076
>
> References:
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6598

This CVE does not exist - do you mean
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5794
?

> Description:
> Previous versions of the dovecot package contain multiple
> vulnerabilities, the most serious of which might confuse
> LDAP-authenticated logins between different users with the
> same password. Other vulnerabilities include Denials of
> Service which appear to be limited to the connecting user.
>
> http://wiki.rpath.com/Advisories:rPSA-2008-0001

This is rather misleading - the bug was not in Dovecot, but in nss_ldap.
You may have put a workaround into Dovecot, but it would have been
polite to mention this fact.

Dominic.

--
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)
Re: rPSA-2008-0001-1 dovecot [ In reply to ]
coley at mitre
Jan 3, 2008, 5:13 PM
Post #3 of 5 (2176 views)
Permalink
>> References:
>> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6598
>
>This CVE does not exist - do you mean
>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5794

No, CVE-2007-6598 is correct. Sometimes a CVE number is publicly used
before it has been updated on the public CVE web server, especially
with Linux distros (a couple Debian advisories today currently have
the same issue). This "race condition" is an artifact of our CVE
reservation and web site processes. This particular item will be on
the CVE site shortly.

>> http://wiki.rpath.com/Advisories:rPSA-2008-0001
>
>This is rather misleading - the bug was not in Dovecot, but in
>nss_ldap. You may have put a workaround into Dovecot, but it would
>have been polite to mention this fact.

The announcement from Timo Sirainen, the upstream developer, does not
mention nss_ldap :

http://dovecot.org/list/dovecot-news/2007-December/000057.html
http://dovecot.org/list/dovecot-news/2007-December/000058.html

... so perhaps some clarification is in order.

- Steve
Re: rPSA-2008-0001-1 dovecot [ In reply to ]
smithj at rpath
Jan 3, 2008, 11:31 PM
Post #4 of 5 (2173 views)
Permalink
Steven M. Christey wrote:
> No, CVE-2007-6598 is correct.
> [snip]
> The announcement from Timo Sirainen, the upstream developer, does not
> mention nss_ldap :
>
> http://dovecot.org/list/dovecot-news/2007-December/000057.html
> http://dovecot.org/list/dovecot-news/2007-December/000058.html
>
> ... so perhaps some clarification is in order.

rPath fixed the nss_ldap issue a month ago with rPSA-2007-0255-1. Our
mailing list archived it at
http://lists.rpath.com/pipermail/security-announce/2007-November/000284.html,
but it should have been sent to bugtraq as well.

The fix did not require any modifications to dovecot, so that is why
dovecot wasn't mentioned in the advisory.

smithj
Re: rPSA-2008-0001-1 dovecot [ In reply to ]
dom at earth
Jan 4, 2008, 1:16 AM
Post #5 of 5 (2172 views)
Permalink
On Thu, Jan 03, 2008 at 08:13:04PM -0500, Steven M. Christey wrote:
>
> >> References:
> >> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6598
> >
> >This CVE does not exist - do you mean
> >http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5794
>
> No, CVE-2007-6598 is correct. Sometimes a CVE number is publicly used
> before it has been updated on the public CVE web server, especially
> with Linux distros (a couple Debian advisories today currently have
> the same issue). This "race condition" is an artifact of our CVE
> reservation and web site processes. This particular item will be on
> the CVE site shortly.
>
> >> http://wiki.rpath.com/Advisories:rPSA-2008-0001
> >
> >This is rather misleading - the bug was not in Dovecot, but in
> >nss_ldap. You may have put a workaround into Dovecot, but it would
> >have been polite to mention this fact.
>
> The announcement from Timo Sirainen, the upstream developer, does not
> mention nss_ldap :
>
> http://dovecot.org/list/dovecot-news/2007-December/000057.html
> http://dovecot.org/list/dovecot-news/2007-December/000058.html
>
> ... so perhaps some clarification is in order.

My apologies then - it looks like I made a bad assumption!

Cheers,

Dominic.

--
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal