| Descripción: | Description:
The remote host is missing updates announced in
advisory RHSA-2008:0297.
Dovecot is an IMAP server for Linux and UNIX-like systems, primarily
written with security in mind.
A flaw was discovered in the way Dovecot handled the mail_extra_groups
option. An authenticated attacker with local shell access could leverage
this flaw to read, modify, or delete other users mail that is stored on
the mail server. (CVE-2008-1199)
This issue did not affect the default Red Hat Enterprise Linux 5 Dovecot
configuration. This update adds two new configuration options --
mail_privileged_group and mail_access_groups -- to minimize the usage
of additional privileges.
A directory traversal flaw was discovered in Dovecot's zlib plug-in. An
authenticated user could use this flaw to view other compressed mailboxes
with the permissions of the Dovecot process. (CVE-2007-2231)
A flaw was found in the Dovecot ACL plug-in. User with only insert
permissions for a mailbox could use the COPY and APPEND commands to set
additional message flags. (CVE-2007-4211)
A flaw was found in a way Dovecot cached LDAP query results in certain
configurations. This could possibly allow authenticated users to log in as
a different user who has the same password. (CVE-2007-6598)
Note: this updated package upgrades dovecot to version 1.0.7. For
further details, refer to the Dovecot changelog:
http://koji.fedoraproject.org/koji/buildinfo?buildID=23397
Users of dovecot are advised to upgrade to this updated package, which
resolves these issues.
Solution:
Please note that this update is available via
Red Hat Network. To use Red Hat Network, launch the Red
Hat Update Agent with the following command: up2date
http://rhn.redhat.com/errata/RHSA-2008-0297.html
http://www.redhat.com/security/updates/classification/#low
Risk factor : High
CVSS Score:
6.8
|
