PublicDateAtUSN: 2010-09-24
Candidate: CVE-2010-3304
PublicDate: 2010-09-24 19:00:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3304
 http://www.dovecot.org/list/dovecot-news/2010-July/000163.html
 https://ubuntu.com/security/notices/USN-1059-1
Description:
 The ACL plugin in Dovecot 1.2.x before 1.2.13 propagates INBOX ACLs to
 newly created mailboxes in certain configurations, which might allow remote
 attackers to read mailboxes that have unintended weak ACLs.
Ubuntu-Description:
Notes:
 mdeslaur> upstream says only 1.2.x, but code is present in at least as far
 mdeslaur> back as jaunty. Code doesn't look affected in hardy and earlier.
 mdeslaur> Couldn't reproduce on karmic, so not-affected.
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS: 

Patches_dovecot:
 upstream: http://hg.dovecot.org/dovecot-1.2/rev/aae3b2a12cd0
upstream_dovecot: released (1:1.2.13-1)
dapper_dovecot: not-affected (1.0.beta3-3ubuntu5.6)
hardy_dovecot: not-affected (1:1.0.10-1ubuntu5.2)
jaunty_dovecot: ignored (reached end-of-life)
karmic_dovecot: not-affected (1:1.1.11-0ubuntu11)
lucid_dovecot: released (1:1.2.9-1ubuntu6.3)
maverick_dovecot: released (1:1.2.12-1ubuntu8.1)
devel_dovecot: not-affected (1:1.2.15-3ubuntu1)