CVE-2008-4870

NameCVE-2008-4870
Descriptiondovecot 1.0.7 in Red Hat Enterprise Linux (RHEL) 5, and possibly Fedora, uses world-readable permissions for dovecot.conf, which allows local users to obtain the ssl_key_password parameter value.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
dovecot (PTS)jessie, jessie (lts)1:2.2.13-12~deb8u9vulnerable
stretch (security), stretch (lts), stretch1:2.2.27-3+deb9u7vulnerable
buster1:2.3.4.1-5+deb10u6vulnerable
buster (security)1:2.3.4.1-5+deb10u7vulnerable
bullseye1:2.3.13+dfsg1-2+deb11u1vulnerable
bookworm1:2.3.19.1+dfsg1-2.1vulnerable
trixie1:2.3.21+dfsg1-2vulnerable
sid1:2.3.21+dfsg1-3vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
dovecotsource(unstable)(unfixed)unimportant

Notes

by default this file doesnt containt sensitive information and administrator
changing this should ensure on its own that the mode is secure

Search for package or bug name: Reporting problems