Lucene search
This script is Copyright (C) 2008-2021 and is owned by Tenable, Inc. or an Affiliate thereof.GENTOO_GLSA-200812-16.NASLHistoryDec 15, 2008 - 12:00 a.m.
GLSA-200812-16 : Dovecot: Multiple vulnerabilities
2008-12-1500:00:00
This script is Copyright (C) 2008-2021 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
17
6.4 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:P/A:N
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
0.142 Low
EPSS
Percentile
95.8%
The remote host is affected by the vulnerability described in GLSA-200812-16 (Dovecot: Multiple vulnerabilities)
Several vulnerabilities were found in Dovecot:
The 'k' right in the acl_plugin does not work as expected (CVE-2008-4577, CVE-2008-4578) The dovecot.conf is world-readable, providing improper protection for the ssl_key_password setting (CVE-2008-4870) A permanent Denial of Service with broken mail headers is possible (CVE-2008-4907) Impact :
These vulnerabilities might allow a remote attacker to cause a Denial of Service, to circumvent security restrictions or allow local attackers to disclose the passphrase of the SSL private key.
Workaround :
There is no known workaround at this time.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Gentoo Linux Security Advisory GLSA 200812-16.
#
# The advisory text is Copyright (C) 2001-2016 Gentoo Foundation, Inc.
# and licensed under the Creative Commons - Attribution / Share Alike
# license. See http://creativecommons.org/licenses/by-sa/3.0/
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(35108);
script_version("1.14");
script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/06");
script_cve_id("CVE-2008-4577", "CVE-2008-4578", "CVE-2008-4870", "CVE-2008-4907");
script_bugtraq_id(31587);
script_xref(name:"GLSA", value:"200812-16");
script_name(english:"GLSA-200812-16 : Dovecot: Multiple vulnerabilities");
script_summary(english:"Checks for updated package(s) in /var/db/pkg");
script_set_attribute(
attribute:"synopsis",
value:
"The remote Gentoo host is missing one or more security-related
patches."
);
script_set_attribute(
attribute:"description",
value:
"The remote host is affected by the vulnerability described in GLSA-200812-16
(Dovecot: Multiple vulnerabilities)
Several vulnerabilities were found in Dovecot:
The 'k'
right in the acl_plugin does not work as expected (CVE-2008-4577,
CVE-2008-4578)
The dovecot.conf is world-readable, providing
improper protection for the ssl_key_password setting
(CVE-2008-4870)
A permanent Denial of Service with broken mail
headers is possible (CVE-2008-4907)
Impact :
These vulnerabilities might allow a remote attacker to cause a Denial
of Service, to circumvent security restrictions or allow local
attackers to disclose the passphrase of the SSL private key.
Workaround :
There is no known workaround at this time."
);
script_set_attribute(
attribute:"see_also",
value:"https://security.gentoo.org/glsa/200812-16"
);
script_set_attribute(
attribute:"solution",
value:
"All Dovecot users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose '>=net-mail/dovecot-1.1.7-r1'
Users should be aware that dovecot.conf will still be world-readable
after the update. If employing ssl_key_password, it should not be used
in dovecot.conf but in a separate file which should be included with
'include_try'."
);
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_cwe_id(20, 264);
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:dovecot");
script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux");
script_set_attribute(attribute:"patch_publication_date", value:"2008/12/14");
script_set_attribute(attribute:"plugin_publication_date", value:"2008/12/15");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_copyright(english:"This script is Copyright (C) 2008-2021 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_family(english:"Gentoo Local Security Checks");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list");
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("qpkg.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo");
if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
flag = 0;
if (qpkg_check(package:"net-mail/dovecot", unaffected:make_list("ge 1.1.7-r1"), vulnerable:make_list("lt 1.1.7-r1"))) flag++;
if (flag)
{
if (report_verbosity > 0) security_warning(port:0, extra:qpkg_report_get());
else security_warning(0);
exit(0);
}
else
{
tested = qpkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, "Dovecot");
}
Related
openvas
openvas
Gentoo Security Advisory GLSA 200812-16 (dovecot)
2008-12-23 00:00:00
Gentoo Security Advisory GLSA 200812-16 (dovecot)
2008-12-23 00:00:00
Oracle: Security Advisory (ELSA-2009-0205)
2015-10-08 00:00:00
gentoo
gentoo
Dovecot: Multiple vulnerabilities
2008-12-14 00:00:00
nessus
nessus
Oracle Linux 5 : dovecot (ELSA-2009-0205)
2023-09-07 00:00:00
RHEL 5 : dovecot (RHSA-2009:0205)
2009-01-21 00:00:00
Scientific Linux Security Update : dovecot on SL5.x i386/x86_64
2012-08-01 00:00:00
redhat
redhat
(RHSA-2009:0205) Low: dovecot security and bug fix update
2009-01-20 00:00:00
oraclelinux
oraclelinux
dovecot security and bug fix update
2009-01-27 00:00:00
freebsd
freebsd
dovecot -- ACL plugin bypass vulnerabilities
2008-10-05 00:00:00
securityvulns
securityvulns
dovecot protection bypass
2008-11-21 00:00:00
[ MDVSA-2008:232 ] dovecot
2008-11-21 00:00:00
Dovecot IMAP server DoS
2008-11-10 00:00:00
prion
prion
Design/Logic Flaw
2008-11-01 00:00:00
Design/Logic Flaw
2008-11-04 00:58:00
Security feature bypass
2008-10-15 20:08:00
cvelist
cvelist
cve
cve
ubuntucve
ubuntucve
ubuntu
ubuntu
Dovecot vulnerability
2008-11-07 00:00:00
Dovecot vulnerabilities
2009-09-28 00:00:00
debiancve
debiancve
veracode
veracode
Information Disclosure
2020-04-10 00:35:06
Access Control Bypass
2020-04-10 00:35:06
nvd
nvd
fedora
fedora
[SECURITY] Fedora 9 Update: dovecot-1.0.15-14.fc9
2008-10-30 12:49:05
[SECURITY] Fedora 8 Update: dovecot-1.0.15-14.fc8
2008-10-30 12:51:56
debian
debian
[Backports-security-announce] Security Update for dovecot
2008-11-28 21:24:35
[Backports-security-announce] Security Update for dovecot
2008-11-28 21:24:11
6.4 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:P/A:N
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
0.142 Low
EPSS
Percentile
95.8%
Related for GENTOO_GLSA-200812-16.NASL