| Summary: | Dovecot security issue CVE-2019-3814 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | Stig-Ørjan Smelror <smelror> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | andrewsfarm, davidwhodgins, herman.viaene, mageia, sysadmin-bugs |
| Version: | 6 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA6-32-OK MGA6-64-OK | ||
| Source RPM: | CVE: | CVE-2019-3814 | |
| Status comment: | |||
|
Description
Stig-Ørjan Smelror
2019-02-05 20:05:24 CET
Stig-Ørjan Smelror
2019-02-05 20:05:46 CET
QA Contact:
(none) =>
security
Stig-Ørjan Smelror
2019-02-05 20:06:09 CET
Whiteboard:
(none) =>
MGA6TOO Version 2.3.4.1 pushed to Cauldron. Advisory ======== Dovecot has been updated to fix a security issue. CVE-2019-3814: If imap/pop3/managesieve/submission client has trusted certificate with missing username field (ssl_cert_username_field), under some configurations Dovecot mistakenly trusts the username provided via authentication instead of failing. References ========== https://www.dovecot.org/list/dovecot-news/2019-February/000393.html Files ===== Uploaded to core/updates_testing dovecot-2.2.36.1-1.mga6 dovecot-devel-2.2.36.1-1.mga6 dovecot-pigeonhole-2.2.36.1-1.mga6 dovecot-pigeonhole-devel-2.2.36.1-1.mga6 dovecot-plugins-gssapi-2.2.36.1-1.mga6 dovecot-plugins-ldap-2.2.36.1-1.mga6 dovecot-plugins-mysql-2.2.36.1-1.mga6 dovecot-plugins-pgsql-2.2.36.1-1.mga6 dovecot-plugins-sqlite-2.2.36.1-1.mga6 from dovecot-2.2.36.1-1.mga6.src.rpm Assignee:
smelror =>
qa-bugs installed and tested without issues.
Tested using kmail/akonadi/Mageia 6, k9/android and roundcubemail/php/apache/Mageia 6 to access an account with many thousands of messages, on hundreds of folders.
System: Mageia 6, x86_64, Intel CPU.
$ uname -a
Linux marte 4.14.89-desktop-1.mga6 #1 SMP Mon Dec 17 13:14:48 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | grep dovecot
dovecot-2.2.36.1-1.mga6
dovecot-pigeonhole-2.2.36.1-1.mga6
$ systemctl status dovecot.service dovecot.socket
● dovecot.service - Dovecot IMAP/POP3 email server
Loaded: loaded (/usr/lib/systemd/system/dovecot.service; disabled; vendor preset: enabled)
Active: active (running) since Qua 2019-02-06 12:57:59 WET; 3h 23min ago
Docs: man:dovecot(1)
http://wiki2.dovecot.org/
Process: 7323 ExecStop=/usr/bin/doveadm stop (code=exited, status=0/SUCCESS)
Process: 7328 ExecStart=/usr/sbin/dovecot (code=exited, status=0/SUCCESS)
Main PID: 7330 (dovecot)
CPU: 2.820s
CGroup: /system.slice/dovecot.service
├─ 7330 /usr/sbin/dovecot
├─ 7332 dovecot/anvil
├─ 7333 dovecot/log
├─ 7335 dovecot/config
├─11265 dovecot/imap-login
└─11266 dovecot/imap
● dovecot.socket - Dovecot IMAP/POP3 email server activation socket
Loaded: loaded (/usr/local/lib/systemd/system/dovecot.socket; enabled; vendor preset: enabled)
Active: active (running) since Qua 2019-02-06 08:34:38 WET; 6h ago
Listen: 127.0.0.1:143 (Stream)
127.0.0.1:993 (Stream)
Warning: Journal has been rotated since unit was started. Log output is incomplete or unavailable.CC:
(none) =>
mageia MGA6-32 MATE on IBM Thinkpad R50e No installation issues Ref bug 17162 for testing # systemctl start dovecot # systemctl -l status dovecot ● dovecot.service - Dovecot IMAP/POP3 email server Loaded: loaded (/usr/lib/systemd/system/dovecot.service; enabled; vendor preset: enabled) Active: active (running) since do 2019-02-07 11:02:07 CET; 14s ago Docs: man:dovecot(1) http://wiki2.dovecot.org/ Process: 16840 ExecStart=/usr/sbin/dovecot (code=exited, status=0/SUCCESS) Main PID: 16843 (dovecot) CGroup: /system.slice/dovecot.service ├─16843 /usr/sbin/dovecot ├─16845 dovecot/anvil ├─16846 dovecot/log ├─16847 dovecot/ssl-params ├─16848 dovecot/config └─16850 dovecot/ssl-params feb 07 11:02:06 mach6.hviaene.thuis systemd[1]: Starting Dovecot IMAP/POP3 email server... feb 07 11:02:07 mach6.hviaene.thuis systemd[1]: dovecot.service: PID file /run/dovecot/master.pid not re feb 07 11:02:07 mach6.hviaene.thuis systemd[1]: Started Dovecot IMAP/POP3 email server. feb 07 11:02:07 mach6.hviaene.thuis dovecot[16843]: master: Dovecot v2.2.36.1 (5d621cf65) starting up fo feb 07 11:02:08 mach6.hviaene.thuis dovecot[16846]: ssl-params: Generating SSL parameters # doveconf protocols listen protocols = imap pop3 lmtp listen = * # telnet localhost 143 Trying ::1... telnet: connect to address ::1: Connection refused Trying 127.0.0.1... Connected to localhost (127.0.0.1). Escape character is '^]'. * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN] Dovecot ready. All seems OK. Whiteboard:
(none) =>
MGA6-32-OK Giving the update a OK for x86_64, as per comment #3. Whiteboard:
MGA6-32-OK =>
MGA6-32-OK MGA6-64-OK More detailed advisory for the issue: https://www.openwall.com/lists/oss-security/2019/02/05/1 Debian has issued an advisory for this on February 5: https://www.debian.org/security/2019/dsa-4385 Validating. Advisory information in comments 2, 6, and 7. Keywords:
(none) =>
validated_update
Dave Hodgins
2019-02-13 03:43:16 CET
CC:
(none) =>
davidwhodgins An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0072.html Resolution:
(none) =>
FIXED |