|
»
[vuxml] document vulnerability in dovecot-managesieve
|
View:
New views
1 Messages
—
Rating Filter:
Alert me
|
 |
[vuxml] document vulnerability in dovecot-managesieve
by Eygene Ryabinkin-3
::
Rate this Message:
>Submitter-Id: current-users >Originator: Eygene Ryabinkin >Organization: Code Labs >Confidential: no >Synopsis: [vuxml] document vulnerability in dovecot-managesieve >Severity: serious >Priority: medium >Category: ports >Class: sw-bug >Release: FreeBSD 7.0-STABLE amd64 >Environment: System: FreeBSD 7.0-STABLE amd64 >Description: There is a bug in the dovecot-managesieve that allows virtual users to get read/write access to the other's sieve files in some curcumstances: http://www.dovecot.org/list/dovecot/2008-November/035259.html >How-To-Repeat: Look at http://www.dovecot.org/list/dovecot/2008-November/035259.html PR ports/129028 mentions the security vulnerability (that was eliminated by that PR), but does not add a new VuXML entry. >Fix: The following VuXML entry should be evaluated and added: --- vuln.xml begins here --- <vuln vid="unknown"> <topic>dovecot-managesieve -- unallowed read/write access to the sieve scripts by virtual users</topic> <affects> <package> <name>dovecot-managesieve</name> <range><lt>0.10.4</lt></range> <range><ge>0.11.0</ge><lt>0.11.1</lt></range> </package> </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml"> <p>Stephan Bosch, maintainer of dovecot-managesieve, reports:</p> <blockquote cite="http://www.dovecot.org/list/dovecot/2008-November/035259.html"> <p>…clever virtual users that know the directory structure of the server can read and edit script files of other virtual users with the same system uid.</p> </blockquote> </body> </description> <references> <mlist>http://www.dovecot.org/list/dovecot/2008-November/035259.html</mlist> <url>http://secunia.com/Advisories/32768/</url> </references> <dates> <discovery>2008-11-17</discovery> <entry>TODAY</entry> </dates> </vuln> --- vuln.xml ends here --- I had marked port versions '>=0.11.0<0.11.1' to be affected too, because these upstream versions are affected. There are no such port versions in the official FreeBSD ports tree. _______________________________________________ freebsd-vuxml@... mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-vuxml To unsubscribe, send any mail to "freebsd-vuxml-unsubscribe@..." |
| Free embeddable forum powered by Nabble | Forum Help |
