Dovecot LDAP Auth Cache Security Bypass

2008-01-02T19:19:15
ID OSVDB:39876
Type osvdb
Reporter OSVDB
Modified 2008-01-02T19:19:15

Description

Technical Description

Successful exploitation requires non-default configuration settings and that the two users share the same 'password' and 'pass_filter' variables.

Solution Description

Upgrade to version 1.0.10 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

Dovecot LDAP Auth Cache Security Bypass

References:

Secunia Advisory ID:28271 Secunia Advisory ID:28227 Secunia Advisory ID:28434 Secunia Advisory ID:28404 Other Advisory URL: http://lists.debian.org/debian-security-announce/debian-security-announce-2008/msg00015.html Other Advisory URL: https://lists.ubuntu.com/archives/ubuntu-security-announce/2008-January/000653.html Other Advisory URL: http://dovecot.org/list/dovecot-news/2007-December/000057.html Other Advisory URL: http://dovecot.org/list/dovecot-news/2007-December/000058.html Other Advisory URL: http://lists.rpath.com/pipermail/security-announce/2008-January/000295.html Mail List Post: http://www.securityfocus.com/archive/1/archive/1/485787/100/0/threaded Mail List Post: http://www.securityfocus.com/archive/1/archive/1/485779/100/0/threaded FrSIRT Advisory: ADV-2008-0017 CVE-2007-6598 Bugtraq ID: 27093