How to Buy
This script is Copyright (C) 2012 Tenable Network Security, Inc.
The remote Scientific Linux host is missing a security update.
A flaw was discovered in the way Dovecot handled the
'mail_extra_groups' option. An authenticated attacker with local shell
access could leverage this flaw to read, modify, or delete other users
mail that is stored on the mail server. (CVE-2008-1199)
This issue did not affect the default Red Hat Enterprise Linux 5
Dovecot configuration. This update adds two new configuration options
-- 'mail_privileged_group' and 'mail_access_groups' -- to minimize the
usage of additional privileges.
A directory traversal flaw was discovered in Dovecot's zlib plug-in.
An authenticated user could use this flaw to view other compressed
mailboxes with the permissions of the Dovecot process. (CVE-2007-2231)
A flaw was found in the Dovecot ACL plug-in. User with only insert
permissions for a mailbox could use the 'COPY' and 'APPEND' commands
to set additional message flags. (CVE-2007-4211)
A flaw was found in a way Dovecot cached LDAP query results in certain
configurations. This could possibly allow authenticated users to log
in as a different user who has the same password. (CVE-2007-6598)
As well, this updated package fixes the following bugs :
- configuring 'userdb' and 'passdb' to use LDAP caused
Dovecot to hang. A segmentation fault may have occurred.
In this updated package, using an LDAP backend for
'userdb' and 'passdb' no longer causes Dovecot to hang.
- the Dovecot 'login_process_size' limit was configured
for 32-bit systems. On 64-bit systems, when Dovecot was
configured to use either IMAP or POP3, the log in
processes crashed with out-of-memory errors. Errors such
as the following were logged :
pop3-login: pop3-login: error while loading shared libraries:
libsepol.so.1: failed to map segment from shared object: Cannot
In this updated package, the 'login_process_size' limit is correctly
configured on 64-bit systems, which resolves this issue.
Note: this updated package upgrades dovecot to version 1.0.7. For
further details, refer to the Dovecot changelog:
See also :
Update the affected dovecot package.
Risk factor :
Medium / CVSS Base Score : 6.8
Family: Scientific Linux Local Security Checks
Nessus Plugin ID: 60404 ()
CVE ID: CVE-2007-2231CVE-2007-4211CVE-2007-6598CVE-2008-1199
Upgrade to Nessus Professional today!
Start your free Nessus Cloud trial now!
Begin Free Trial
The cookie settings on this website are set to 'allow all cookies' to give you the very best website experience. If you continue without changing these settings, you consent to this - but if you want, you can opt out of all cookies by clicking below.