CVE-2008-1199 If Dovecot was configured with mail_extra_groups = mail, users
having shell access to IMAP server could use this flaw to read, modify or delete
mails of other users stored in inbox files in /var/mail. /var/mail directory is
mail-group writable and user inbox files are by default created by useradd with
permission 660, <user>:mail. No mail_extra_groups is set by default, hence
default Fedora configuration was not affected by this problem. If your
configuration sets mail_extra_groups, see new options mail_privileged_group and
mail_access_groups introduced in Dovecot 1.0.11. (mail_extra_groups is still
accepted, but is deprecated now)
CVE-2008-1218 On Dovecot versions 1.0.11
and newer, it was possible to gain password-less login via passwords with tab
characters, which were not filtered properly. Dovecot versions in Fedora were
not affected by this unauthorized login flaw, but only by a related minor memory
leak in dovecot-auth worker process.
