[Dbmail-dev] [DBMail 0000545]: Security hole

Tue, 20 Mar 2007 00:19:14 -0800 

The following issue has been RESOLVED. 
====================================================================== 
http://www.dbmail.org/mantis/view.php?id=545 
====================================================================== 
Reported By:                maenaka
Assigned To:                paul
====================================================================== 
Project:                    DBMail
Issue ID:                   545
Category:                   IMAP daemon
Reproducibility:            always
Severity:                   minor
Priority:                   normal
Status:                     resolved
target:                      
Resolution:                 fixed
Fixed in Version:           2.2.5
====================================================================== 
Date Submitted:             20-Mar-07 02:08 CET
Last Modified:              20-Mar-07 09:17 CET
====================================================================== 
Summary:                    Security hole
Description: 
In dbmail_imap_session_handle_auth() in dbmail-imapsession.c, when
auth_validate() returns -1, TRACE(TRACE_ERROR, "db-validate ...") is
called with the unescaped raw IMAP password along with the IMAP username.
====================================================================== 

---------------------------------------------------------------------- 
 paul - 20-Mar-07 09:17  
---------------------------------------------------------------------- 
Hardly a 'blocking' bug this, and hardly even a security issue given that
the raw password is/was only logged in case of serious database trouble.
Still, better err on the side of caution. Patch applied. 

Issue History 
Date Modified   Username       Field                    Change               
====================================================================== 
20-Mar-07 02:08 maenaka        New Issue                                    
20-Mar-07 02:08 maenaka        File Added: patch-dbmail-imapsession.c           
        
20-Mar-07 09:17 paul           Note Added: 0001930                          
20-Mar-07 09:17 paul           Assigned To               => paul            
20-Mar-07 09:17 paul           Severity                 block => minor      
20-Mar-07 09:17 paul           Status                   new => resolved     
20-Mar-07 09:17 paul           Resolution               open => fixed       
20-Mar-07 09:17 paul           Fixed in Version          => 2.2.5           
======================================================================

_______________________________________________
Dbmail-dev mailing list
Dbmail-dev@dbmail.org
http://twister.fastxs.net/mailman/listinfo/dbmail-dev

Reply via email to