Package: dovecot
Version: 1:1.2.13-1
Severity: grave
On Oct, 1 Timo released version 1.2.15 to correct two bugs in the ACL
evaluation logic:
* acl: Fixed the logic of merging multiple ACL entries. Now it works as
documented, while previously it could have done slightly different
things depending on the order of the entries.
* acl: Don't give admin rights to all owner mailboxes. This was
originally done to make sure that mailbox owner couldn't accidentally
remove their own admin rights. But this is already prevented by
SETACL command, so it's not necessary. Also sysadmin may have
intentionally removed some admin rights from some mailboxes
(especially when using symlinked shared mailboxes).
I think this is a important security fix, because without it a user
can gain access to other mailboxes or, worst, admin rights an shared
mailboxes. It would be a Good Thing(TM) to have version 1.2.15 in
Squeeze.
You can find the release notes here:
http://www.dovecot.org/list/dovecot-news/2010-October/000175.html
and details on the ACL bug here:
http://www.dovecot.org/list/dovecot-news/2010-October/000177.html
Best regards.
Paolo Miotto
-------------------------------------------
Paolo Miotto
Centro Servizi Informatici e Telematici
Università di Udine
-------------------------------------------
----------------------------------------------------------------------
SEMEL (SErvizio di Messaging ELettronico) - CSIT -Universita' di Udine
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
