Candidate: CVE-2008-4870
PublicDate: 2008-11-01 00:00:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4870
Description:
 dovecot 1.0.7 in Red Hat Enterprise Linux (RHEL) 5, and possibly Fedora,
 uses world-readable permissions for dovecot.conf, which allows local users
 to obtain the ssl_key_password parameter value.
Ubuntu-Description:
Notes:
 jdstrand> marking as low because the default configuration doesn't set
   ssl_key_password
 mdeslaur> file permissions can't be changed because of "deliver"
 mdeslaur> Red Hat backported a new "!include_try" directive to the config
 mdeslaur> file that allows including a second permission-protected 
 mdeslaur> config file (taken from 1.1.7)
 mdeslaur> Debian says "by default this file doesnt containt sensitive
 mdeslaur> information and administrator changing this should ensure on its
 mdeslaur> own that the mode is secure"
 mdeslaur>
 mdeslaur> after discussion with kees and jdstrand, here's our plan:
 mdeslaur> TODO: add a warning to the default conf file.
 mdeslaur> on second thought, not worth risking a conf file prompt, so
 mdeslaur> marking as ignored
Bugs:
 https://bugzilla.redhat.com/show_bug.cgi?id=436287
Priority: low
Discovered-by:
Assigned-to:
CVSS: 

Patches_dovecot:
upstream_dovecot: released (1.1.7)
dapper_dovecot: ignored
gutsy_dovecot: needed (reached end-of-life)
hardy_dovecot: ignored
intrepid_dovecot: needed (reached end-of-life)
jaunty_dovecot: not-affected (1:1.1.11-0ubuntu2)
karmic_dovecot: not-affected (1:1.1.11-0ubuntu2)
lucid_dovecot: not-affected (1:1.1.11-0ubuntu2)
devel_dovecot: not-affected (1:1.1.11-0ubuntu2)