1
Candidate: CVE-2008-4870
4
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4870
6
dovecot 1.0.7 in Red Hat Enterprise Linux (RHEL) 5, and possibly Fedora,
7
uses world-readable permissions for dovecot.conf, which allows local users
8
to obtain the ssl_key_password parameter value.
11
jdstrand> marking as low because the default configuration doesn't set
13
mdeslaur> file permissions can't be changed because of "deliver"
14
mdeslaur> Red Hat backported a new "!include_try" directive to the config
15
mdeslaur> file that allows including a second permission-protected
16
mdeslaur> config file (taken from 1.1.7)
17
mdeslaur> Debian says "by default this file doesnt containt sensitive
18
mdeslaur> information and administrator changing this should ensure on its
19
mdeslaur> own that the mode is secure"
21
mdeslaur> after discussion with kees and jdstrand, here's our plan:
22
mdeslaur> TODO: add a warning to the default conf file.
23
mdeslaur> on second thought, not worth risking a conf file prompt, so
24
mdeslaur> marking as ignored
26
https://bugzilla.redhat.com/show_bug.cgi?id=436287
32
upstream_dovecot: released (1.1.7)
33
dapper_dovecot: ignored
34
gutsy_dovecot: needed (reached end-of-life)
35
hardy_dovecot: ignored
36
intrepid_dovecot: needed (reached end-of-life)
37
jaunty_dovecot: not-affected (1:1.1.11-0ubuntu2)
38
karmic_dovecot: not-affected (1:1.1.11-0ubuntu2)
39
lucid_dovecot: not-affected (1:1.1.11-0ubuntu2)
40
devel_dovecot: not-affected (1:1.1.11-0ubuntu2)