Bug 24314 - Dovecot security issue CVE-2019-3814
Summary: Dovecot security issue CVE-2019-3814
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-32-OK MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2019-02-05 20:05 CET by Stig-Ørjan Smelror
Modified: 2019-02-13 12:10 CET (History)
5 users (show)

See Also:
Source RPM:
CVE: CVE-2019-3814
Status comment:


Attachments

Description Stig-Ørjan Smelror 2019-02-05 20:05:24 CET
CVE-2019-3814: If imap/pop3/managesieve/submission client has trusted certificate with missing username field (ssl_cert_username_field), under some configurations Dovecot mistakenly trusts the username provided via authentication instead of failing.

Fixed in 2.2.36.1 and 2.3.4.1
Stig-Ørjan Smelror 2019-02-05 20:05:46 CET

CVE: (none) => CVE-2019-3814
QA Contact: (none) => security
Component: RPM Packages => Security

Stig-Ørjan Smelror 2019-02-05 20:06:09 CET

Whiteboard: (none) => MGA6TOO

Comment 1 Stig-Ørjan Smelror 2019-02-05 20:08:58 CET
Version 2.3.4.1 pushed to Cauldron.
Comment 2 Stig-Ørjan Smelror 2019-02-05 20:13:28 CET
Advisory
========

Dovecot has been updated to fix a security issue.

CVE-2019-3814: If imap/pop3/managesieve/submission client has trusted certificate with missing username field (ssl_cert_username_field), under some configurations Dovecot mistakenly trusts the username provided via authentication instead of failing.


References
==========
https://www.dovecot.org/list/dovecot-news/2019-February/000393.html


Files
=====

Uploaded to core/updates_testing

dovecot-2.2.36.1-1.mga6
dovecot-devel-2.2.36.1-1.mga6
dovecot-pigeonhole-2.2.36.1-1.mga6
dovecot-pigeonhole-devel-2.2.36.1-1.mga6
dovecot-plugins-gssapi-2.2.36.1-1.mga6
dovecot-plugins-ldap-2.2.36.1-1.mga6
dovecot-plugins-mysql-2.2.36.1-1.mga6
dovecot-plugins-pgsql-2.2.36.1-1.mga6
dovecot-plugins-sqlite-2.2.36.1-1.mga6

from dovecot-2.2.36.1-1.mga6.src.rpm

Version: Cauldron => 6
Assignee: smelror => qa-bugs
Whiteboard: MGA6TOO => (none)

Comment 3 PC LX 2019-02-06 17:23:22 CET
installed and tested without issues.

Tested using kmail/akonadi/Mageia 6, k9/android and roundcubemail/php/apache/Mageia 6 to access an account with many thousands of messages, on hundreds of folders.

System: Mageia 6, x86_64, Intel CPU.

$ uname -a
Linux marte 4.14.89-desktop-1.mga6 #1 SMP Mon Dec 17 13:14:48 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | grep dovecot
dovecot-2.2.36.1-1.mga6
dovecot-pigeonhole-2.2.36.1-1.mga6
$ systemctl status dovecot.service dovecot.socket 
● dovecot.service - Dovecot IMAP/POP3 email server
   Loaded: loaded (/usr/lib/systemd/system/dovecot.service; disabled; vendor preset: enabled)
   Active: active (running) since Qua 2019-02-06 12:57:59 WET; 3h 23min ago
     Docs: man:dovecot(1)
           http://wiki2.dovecot.org/
  Process: 7323 ExecStop=/usr/bin/doveadm stop (code=exited, status=0/SUCCESS)
  Process: 7328 ExecStart=/usr/sbin/dovecot (code=exited, status=0/SUCCESS)
 Main PID: 7330 (dovecot)
      CPU: 2.820s
   CGroup: /system.slice/dovecot.service
           ├─ 7330 /usr/sbin/dovecot
           ├─ 7332 dovecot/anvil                                                                                                                                                                                  
           ├─ 7333 dovecot/log                                                                                                                                                                                    
           ├─ 7335 dovecot/config                                                                                                                                                                                 
           ├─11265 dovecot/imap-login                                                                                                                                                                             
           └─11266 dovecot/imap                                                                                                                                                                                   
                                                                                                                                                                                                                  
● dovecot.socket - Dovecot IMAP/POP3 email server activation socket                                                                                                                                               
   Loaded: loaded (/usr/local/lib/systemd/system/dovecot.socket; enabled; vendor preset: enabled)                                                                                                                 
   Active: active (running) since Qua 2019-02-06 08:34:38 WET; 6h ago                                                                                                                                             
   Listen: 127.0.0.1:143 (Stream)                                                                                                                                                                                 
           127.0.0.1:993 (Stream)                                                                                                                                                                                 

Warning: Journal has been rotated since unit was started. Log output is incomplete or unavailable.

CC: (none) => mageia

Comment 4 Herman Viaene 2019-02-07 11:11:09 CET
MGA6-32 MATE on IBM Thinkpad R50e
No installation issues
Ref bug 17162 for testing
# systemctl start dovecot
# systemctl -l status dovecot
● dovecot.service - Dovecot IMAP/POP3 email server
   Loaded: loaded (/usr/lib/systemd/system/dovecot.service; enabled; vendor preset: enabled)
   Active: active (running) since do 2019-02-07 11:02:07 CET; 14s ago
     Docs: man:dovecot(1)
           http://wiki2.dovecot.org/
  Process: 16840 ExecStart=/usr/sbin/dovecot (code=exited, status=0/SUCCESS)
 Main PID: 16843 (dovecot)
   CGroup: /system.slice/dovecot.service
           ├─16843 /usr/sbin/dovecot
           ├─16845 dovecot/anvil
           ├─16846 dovecot/log
           ├─16847 dovecot/ssl-params
           ├─16848 dovecot/config
           └─16850 dovecot/ssl-params

feb 07 11:02:06 mach6.hviaene.thuis systemd[1]: Starting Dovecot IMAP/POP3 email server...
feb 07 11:02:07 mach6.hviaene.thuis systemd[1]: dovecot.service: PID file /run/dovecot/master.pid not re
feb 07 11:02:07 mach6.hviaene.thuis systemd[1]: Started Dovecot IMAP/POP3 email server.
feb 07 11:02:07 mach6.hviaene.thuis dovecot[16843]: master: Dovecot v2.2.36.1 (5d621cf65) starting up fo
feb 07 11:02:08 mach6.hviaene.thuis dovecot[16846]: ssl-params: Generating SSL parameters

# doveconf protocols listen
protocols = imap pop3 lmtp
listen = *

#  telnet localhost 143
Trying ::1...
telnet: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost (127.0.0.1).
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN] Dovecot ready.

All seems OK.

Whiteboard: (none) => MGA6-32-OK
CC: (none) => herman.viaene

Comment 5 PC LX 2019-02-07 14:24:44 CET
Giving the update a OK for x86_64, as per comment #3.

Whiteboard: MGA6-32-OK => MGA6-32-OK MGA6-64-OK

Comment 6 David Walser 2019-02-10 18:57:13 CET
More detailed advisory for the issue:
https://www.openwall.com/lists/oss-security/2019/02/05/1
Comment 7 David Walser 2019-02-10 19:33:00 CET
Debian has issued an advisory for this on February 5:
https://www.debian.org/security/2019/dsa-4385
Comment 8 Thomas Andrews 2019-02-11 00:36:08 CET
Validating. Advisory information in comments 2, 6, and 7.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2019-02-13 03:43:16 CET

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 9 Mageia Robot 2019-02-13 12:10:41 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0072.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.