Your submission was sent successfully! Close

CVE-2013-6171

Published: 9 December 2013

checkpassword-reply in Dovecot before 2.2.7 performs setuid operations to a user who is authenticating, which allows local users to bypass authentication and access virtual email accounts by attaching to the process and using a restricted file descriptor to modify account information in the response to the dovecot-auth server.

Priority

Low

Status

Package Release Status
dovecot
Launchpad, Ubuntu, Debian
artful Not vulnerable
(1:2.2.9-1ubuntu2)
lucid Ignored
(reached end-of-life)
precise
Released (1:2.0.19-0ubuntu2.4)
quantal Ignored
(reached end-of-life)
raring Ignored
(reached end-of-life)
saucy Ignored
(reached end-of-life)
trusty Not vulnerable
(1:2.2.9-1ubuntu2)
upstream
Released (2.2.7)
utopic Not vulnerable
(1:2.2.9-1ubuntu2)
vivid Not vulnerable
(1:2.2.9-1ubuntu2)
wily Not vulnerable
(1:2.2.9-1ubuntu2)
xenial Not vulnerable
(1:2.2.9-1ubuntu2)
yakkety Not vulnerable
(1:2.2.9-1ubuntu2)
zesty Not vulnerable
(1:2.2.9-1ubuntu2)
Patches:
upstream: http://hg.dovecot.org/dovecot-2.2/rev/a13098b642e9