Eygene Ryabinkin
2008-Nov-19 14:00 UTC
ports/129000: [vuxml] mail/dovecot: document CVE-2008-4577 and CVE-2008-4578
>Number: 129000 >Category: ports >Synopsis: [vuxml] mail/dovecot: document CVE-2008-4577 and CVE-2008-4578 >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Wed Nov 19 22:00:10 UTC 2008 >Closed-Date: >Last-Modified: >Originator: Eygene Ryabinkin >Release: FreeBSD 7.1-PRERELEASE i386 >Organization:Code Labs>Environment:System: FreeBSD 7.1-PRERELEASE i386>Description:There were two vulnerabilities in the ACL handling for Dovecot prior to the 1.1.4 [1]: ----- - ACL plugin fixes: Negative rights were actually treated as positive rights. 'k' right didn't prevent creating parent/child/child mailbox. ACL groups weren't working. ----- [1] http://www.dovecot.org/list/dovecot-news/2008-October/000085.html>How-To-Repeat:http://www.dovecot.org/list/dovecot-news/2008-October/000085.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4577 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4578>Fix:The following VuXML entry should be evaluated and added: --- vuln.xml begins here --- <vuln vid="unknown"> <topic>dovecot -- two ACL bypassing vulnerabilities</topic> <affects> <package> <name>dovecot</name> <range><lt>1.1.6</lt></range> </package> </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml"> <p>Dovecot 1.1.4 release announcement says:</p> <blockquote cite="http://www.dovecot.org/list/dovecot-news/2008-October/000085.html/"> <p>ACL plugin fixes: Negative rights were actually treated as positive rights. 'k' right didn't prevent creating parent/child/child mailbox. ACL groups weren't working.</p> </blockquote> </body> </description> <references> <cvename>CVE-2008-4577</cvename> <mlist>http://www.dovecot.org/list/dovecot-news/2008-October/000085.html</mlist> </references> <dates> <discovery>2008-10-05</discovery> </dates> </vuln> --- vuln.xml ends here --- I am putting '< 1.1.6' because FreeBSD ports version line was the following: ... -> 1.1.3 -> 1.1.6.>Release-Note: >Audit-Trail: >Unformatted:
edwin@FreeBSD.org
2008-Nov-19 15:15 UTC
ports/129000: [vuxml] mail/dovecot: document CVE-2008-4577 and CVE-2008-4578
Synopsis: [vuxml] mail/dovecot: document CVE-2008-4577 and CVE-2008-4578 State-Changed-From-To: open->feedback State-Changed-By: edwin State-Changed-When: Wed Nov 19 22:00:27 UTC 2008 State-Changed-Why: Awaiting maintainers feedback (via the GNATS Auto Assign Tool) http://www.freebsd.org/cgi/query-pr.cgi?pr=129000
Eygene Ryabinkin
2008-Nov-19 15:16 UTC
ports/129000: [vuxml] mail/dovecot: document CVE-2008-4577 and CVE-2008-4578
Xin, good day. Wed, Nov 19, 2008 at 10:37:12PM +0000, delphij@FreeBSD.org wrote:> Synopsis: [vuxml] mail/dovecot: document CVE-2008-4577 and CVE-2008-4578 > > State-Changed-From-To: open->closed > State-Changed-By: delphij > State-Changed-When: Wed Nov 19 22:36:55 UTC 2008 > State-Changed-Why: > Committed with some changes, thanks!Thanks for handling this. But I have a question: what is the general policy about versions that are to be documented within the 'range' clauses? You had changed version specification to '1.1.4', but it was never been in the FreeBSD ports tree. So, should we specify only existing port versions or we can specify vendor-specific versions as well, provided that the specification will be the same from the point of view of the port version evolution? Thanks again! -- Eygene _ ___ _.--. # \`.|\..----...-'` `-._.-'_.-'` # Remember that it is hard / ' ` , __.--' # to read the on-line manual )/' _/ \ `-_, / # while single-stepping the kernel. `-'" `"\_ ,_.-;_.-\_ ', fsc/as # _.-'_./ {_.' ; / # -- FreeBSD Developers handbook {_.-``-' {_/ # -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 195 bytes Desc: not available Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20081119/4989b057/attachment.pgp