Fedora 7 : dovecot-1.0.13-18.fc7 (2008-2475)

Medium Nessus Plugin ID 31436


The remote Fedora host is missing a security update.


This update upgrades dovecot from version 1.0.10 to 1.0.13. Besides bug fixes, two security issues were fixed upstream in version 1.0.11 and 1.0.13. CVE-2008-1199 If Dovecot was configured with mail_extra_groups = mail, users having shell access to IMAP server could use this flaw to read, modify or delete mails of other users stored in inbox files in /var/mail. /var/mail directory is mail-group writable and user inbox files are by default created by useradd with permission 660, <user>:mail. No mail_extra_groups is set by default, hence default Fedora configuration was not affected by this problem.
If your configuration sets mail_extra_groups, see new options mail_privileged_group and mail_access_groups introduced in Dovecot 1.0.11. (mail_extra_groups is still accepted, but is deprecated now) CVE-2008-1218 On Dovecot versions 1.0.11 and newer, it was possible to gain password-less login via passwords with tab characters, which were not filtered properly. Dovecot versions in Fedora were not affected by this unauthorized login flaw, but only by a related minor memory leak in dovecot-auth worker process. See referenced bugzilla for further details about this flaw.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.


Update the affected dovecot package.

See Also




Plugin Details

Severity: Medium

ID: 31436

File Name: fedora_2008-2475.nasl

Version: $Revision: 1.14 $

Type: local

Agent: unix

Published: 2008/03/13

Modified: 2016/12/08

Dependencies: 12634

Risk Information

Risk Factor: Medium


Base Score: 6.8

Temporal Score: 5.9

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

Temporal Vector: CVSS2#E:ND/RL:OF/RC:C

Vulnerability Information

CPE: p-cpe:/a:fedoraproject:fedora:dovecot, cpe:/o:fedoraproject:fedora:7

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2008/03/13

Reference Information

CVE: CVE-2008-1199, CVE-2008-1218

BID: 28092, 28181

FEDORA: 2008-2475

CWE: 16, 59, 255