PublicDateAtUSN: 2010-10-06
Candidate: CVE-2010-3779
PublicDate: 2010-10-06 21:00:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3779
 https://ubuntu.com/security/notices/USN-1059-1
Description:
 Dovecot 1.2.x before 1.2.15 and 2.0.x before 2.0.beta2 grants the admin
 permission to the owner of each mailbox in a non-public namespace, which
 might allow remote authenticated users to bypass intended access
 restrictions by changing the ACL of a mailbox, as demonstrated by a
 symlinked shared mailbox.
Ubuntu-Description:
Notes:
  sbeattie> from upstream email at
  http://www.dovecot.org/list/dovecot/2010-October/053452.html it
  sounds like problem was introduced in 1.2.8, so earlier may not
  be vulnerable.
 mdeslaur> Code doesn't seem present in karmic and older
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=599521
Priority: low
Discovered-by:
Assigned-to:
CVSS: 

Patches_dovecot:
 upstream: http://hg.dovecot.org/dovecot-1.2/rev/9e824012da57
upstream_dovecot: released (1.2.15, 2.0.5)
dapper_dovecot: not-affected (1.0.beta3-3ubuntu5.6)
hardy_dovecot: not-affected (1:1.0.10-1ubuntu5.2)
jaunty_dovecot: ignored (reached end-of-life)
karmic_dovecot: not-affected (1:1.1.11-0ubuntu11)
lucid_dovecot: released (1:1.2.9-1ubuntu6.3)
maverick_dovecot: released (1:1.2.12-1ubuntu8.1)
devel_dovecot: not-affected (1:1.2.15-3ubuntu1)