Free and open-source vulnerability scanner
Mageni eases for you the vulnerability scanning, assessment, and management process. It is free and open-source.
Install NowAvailable for macOS, Windows, and Linux
RedHat Security Advisory RHSA-2009:0205
Information
Severity
Severity
Family
Family
CVSSv2 Base
CVSSv2 Base
CVSSv2 Vector
CVSSv2 Vector
Solution Type
Solution Type
Created
Created
Modified
Modified
Summary
The remote host is missing updates to Dovecot announced in advisory RHSA-2009:0205. A flaw was found in Dovecot's ACL plug-in. The ACL plug-in treated negative access rights as positive rights, which could allow an attacker to bypass intended access restrictions. (CVE-2008-4577) A password disclosure flaw was found with Dovecot's configuration file. If a system had the ssl_key_password option defined, any local user could view the SSL key password. (CVE-2008-4870) Note: This flaw did not allow the attacker to acquire the contents of the SSL key. The password has no value without the key file which arbitrary users should not have read access to. To better protect even this value, however, the dovecot.conf file now supports the !include_try directive. The ssl_key_password option should be moved from dovecot.conf to a new file owned by, and only readable and writable by, root (ie 0600). This file should be referenced from dovecot.conf by setting the !include_try [/path/to/password/file] option. Additionally, a number of bug fixes were made (see the referenced advisories for details). Users of dovecot are advised to upgrade to this updated package, which addresses these vulnerabilities and resolves these issues.
Solution
Solution
Please note that this update is available via Red Hat Network. To use Red Hat Network, launch the Red Hat Update Agent with the following command: up2date