CVE-2010-3304
Published: 24 September 2010
The ACL plugin in Dovecot 1.2.x before 1.2.13 propagates INBOX ACLs to newly created mailboxes in certain configurations, which might allow remote attackers to read mailboxes that have unintended weak ACLs.
Notes
Author | Note |
---|---|
mdeslaur | upstream says only 1.2.x, but code is present in at least as far back as jaunty. Code doesn't look affected in hardy and earlier. Couldn't reproduce on karmic, so not-affected. |
Priority
Status
Package | Release | Status |
---|---|---|
dovecot Launchpad, Ubuntu, Debian |
dapper |
Not vulnerable
(1.0.beta3-3ubuntu5.6)
|
hardy |
Not vulnerable
(1:1.0.10-1ubuntu5.2)
|
|
jaunty |
Ignored
(end of life)
|
|
karmic |
Not vulnerable
(1:1.1.11-0ubuntu11)
|
|
lucid |
Released
(1:1.2.9-1ubuntu6.3)
|
|
maverick |
Released
(1:1.2.12-1ubuntu8.1)
|
|
upstream |
Released
(1:1.2.13-1)
|
|
Patches: upstream: http://hg.dovecot.org/dovecot-1.2/rev/aae3b2a12cd0 |