Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos

Bugtraq: Re: rPSA-2008-0001-1 dovecot

Re: rPSA-2008-0001-1 dovecot

From: Steven M. Christey <coley_at_mitre.org>
Date: Thu, 3 Jan 2008 20:13:04 -0500 (EST)

>> References:
>> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6598
>
>This CVE does not exist - do you mean
>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5794

No, CVE-2007-6598 is correct. Sometimes a CVE number is publicly used
before it has been updated on the public CVE web server, especially
with Linux distros (a couple Debian advisories today currently have
the same issue). This "race condition" is an artifact of our CVE
reservation and web site processes. This particular item will be on
the CVE site shortly.

>> http://wiki.rpath.com/Advisories:rPSA-2008-0001
>
>This is rather misleading - the bug was not in Dovecot, but in
>nss_ldap. You may have put a workaround into Dovecot, but it would
>have been polite to mention this fact.

The announcement from Timo Sirainen, the upstream developer, does not
mention nss_ldap :

  http://dovecot.org/list/dovecot-news/2007-December/000057.html
  http://dovecot.org/list/dovecot-news/2007-December/000058.html

... so perhaps some clarification is in order.

- Steve
Received on Jan 04 2008

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]