CVE-2019-3814: If imap/pop3/managesieve/submission client has trusted certificate with missing username field (ssl_cert_username_field), under some configurations Dovecot mistakenly trusts the username provided via authentication instead of failing. Fixed in 2.2.36.1 and 2.3.4.1
QA Contact: (none) => securityComponent: RPM Packages => SecurityCVE: (none) => CVE-2019-3814
Whiteboard: (none) => MGA6TOO
Version 2.3.4.1 pushed to Cauldron.
Advisory ======== Dovecot has been updated to fix a security issue. CVE-2019-3814: If imap/pop3/managesieve/submission client has trusted certificate with missing username field (ssl_cert_username_field), under some configurations Dovecot mistakenly trusts the username provided via authentication instead of failing. References ========== https://www.dovecot.org/list/dovecot-news/2019-February/000393.html Files ===== Uploaded to core/updates_testing dovecot-2.2.36.1-1.mga6 dovecot-devel-2.2.36.1-1.mga6 dovecot-pigeonhole-2.2.36.1-1.mga6 dovecot-pigeonhole-devel-2.2.36.1-1.mga6 dovecot-plugins-gssapi-2.2.36.1-1.mga6 dovecot-plugins-ldap-2.2.36.1-1.mga6 dovecot-plugins-mysql-2.2.36.1-1.mga6 dovecot-plugins-pgsql-2.2.36.1-1.mga6 dovecot-plugins-sqlite-2.2.36.1-1.mga6 from dovecot-2.2.36.1-1.mga6.src.rpm
Assignee: smelror => qa-bugsWhiteboard: MGA6TOO => (none)Version: Cauldron => 6
installed and tested without issues. Tested using kmail/akonadi/Mageia 6, k9/android and roundcubemail/php/apache/Mageia 6 to access an account with many thousands of messages, on hundreds of folders. System: Mageia 6, x86_64, Intel CPU. $ uname -a Linux marte 4.14.89-desktop-1.mga6 #1 SMP Mon Dec 17 13:14:48 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux $ rpm -qa | grep dovecot dovecot-2.2.36.1-1.mga6 dovecot-pigeonhole-2.2.36.1-1.mga6 $ systemctl status dovecot.service dovecot.socket ● dovecot.service - Dovecot IMAP/POP3 email server Loaded: loaded (/usr/lib/systemd/system/dovecot.service; disabled; vendor preset: enabled) Active: active (running) since Qua 2019-02-06 12:57:59 WET; 3h 23min ago Docs: man:dovecot(1) http://wiki2.dovecot.org/ Process: 7323 ExecStop=/usr/bin/doveadm stop (code=exited, status=0/SUCCESS) Process: 7328 ExecStart=/usr/sbin/dovecot (code=exited, status=0/SUCCESS) Main PID: 7330 (dovecot) CPU: 2.820s CGroup: /system.slice/dovecot.service ├─ 7330 /usr/sbin/dovecot ├─ 7332 dovecot/anvil ├─ 7333 dovecot/log ├─ 7335 dovecot/config ├─11265 dovecot/imap-login └─11266 dovecot/imap ● dovecot.socket - Dovecot IMAP/POP3 email server activation socket Loaded: loaded (/usr/local/lib/systemd/system/dovecot.socket; enabled; vendor preset: enabled) Active: active (running) since Qua 2019-02-06 08:34:38 WET; 6h ago Listen: 127.0.0.1:143 (Stream) 127.0.0.1:993 (Stream) Warning: Journal has been rotated since unit was started. Log output is incomplete or unavailable.
CC: (none) => mageia
MGA6-32 MATE on IBM Thinkpad R50e No installation issues Ref bug 17162 for testing # systemctl start dovecot # systemctl -l status dovecot ● dovecot.service - Dovecot IMAP/POP3 email server Loaded: loaded (/usr/lib/systemd/system/dovecot.service; enabled; vendor preset: enabled) Active: active (running) since do 2019-02-07 11:02:07 CET; 14s ago Docs: man:dovecot(1) http://wiki2.dovecot.org/ Process: 16840 ExecStart=/usr/sbin/dovecot (code=exited, status=0/SUCCESS) Main PID: 16843 (dovecot) CGroup: /system.slice/dovecot.service ├─16843 /usr/sbin/dovecot ├─16845 dovecot/anvil ├─16846 dovecot/log ├─16847 dovecot/ssl-params ├─16848 dovecot/config └─16850 dovecot/ssl-params feb 07 11:02:06 mach6.hviaene.thuis systemd[1]: Starting Dovecot IMAP/POP3 email server... feb 07 11:02:07 mach6.hviaene.thuis systemd[1]: dovecot.service: PID file /run/dovecot/master.pid not re feb 07 11:02:07 mach6.hviaene.thuis systemd[1]: Started Dovecot IMAP/POP3 email server. feb 07 11:02:07 mach6.hviaene.thuis dovecot[16843]: master: Dovecot v2.2.36.1 (5d621cf65) starting up fo feb 07 11:02:08 mach6.hviaene.thuis dovecot[16846]: ssl-params: Generating SSL parameters # doveconf protocols listen protocols = imap pop3 lmtp listen = * # telnet localhost 143 Trying ::1... telnet: connect to address ::1: Connection refused Trying 127.0.0.1... Connected to localhost (127.0.0.1). Escape character is '^]'. * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN] Dovecot ready. All seems OK.
Whiteboard: (none) => MGA6-32-OKCC: (none) => herman.viaene
Giving the update a OK for x86_64, as per comment #3.
Whiteboard: MGA6-32-OK => MGA6-32-OK MGA6-64-OK
More detailed advisory for the issue: https://www.openwall.com/lists/oss-security/2019/02/05/1
Debian has issued an advisory for this on February 5: https://www.debian.org/security/2019/dsa-4385
Validating. Advisory information in comments 2, 6, and 7.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
CC: (none) => davidwhodginsKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0072.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED