Dovecot has issued an advisory on July 6: https://dovecot.org/pipermail/dovecot-news/2022-July/000477.html The upstream commit that fixed the issue is linked in the message above. Mageia 8 is also affected.
Status comment: (none) => Patch available from upstreamWhiteboard: (none) => MGA8TOO
There's no registered maintainer for dovecot, but kekepower pushed the package several times. @ kekepower If you don't agree with the assignment, then please assign it back to BugSquad or else to all packagers collectively (pkg-bugs@ml.mageia.org)
Assignee: bugsquad => smelrorCC: (none) => marja11
Ubuntu has issued an advisory for this today (July 11): https://ubuntu.com/security/notices/USN-5509-1
Severity: normal => major
openSUSE has issued an advisory for this today (July 20): https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/532QM5GABOZURM72SXKWEPBBQKUHLQC3/
Fedora has issued an advisory for this today (August 2): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/OQ5EW32AQSRSHPFQZM5W3PEYEKPBKGNA/
Suggested advisory: ======================== The updated packages fix a security vulnerability: An issue was discovered in the auth component in Dovecot 2.2 and 2.3 before 2.3.20. When two passdb configuration entries exist with the same driver and args settings, incorrect username_filter and mechanism settings can be applied to passdb definitions. These incorrectly applied settings can lead to an unintended security configuration and can permit privilege escalation in certain configurations. The documentation does not advise against the use of passdb definitions that have the same driver and args settings. One such configuration would be where an administrator wishes to use the same PAM configuration or passwd file for both normal and master users but use the username_filter setting to restrict which of the users is able to be a master user. (CVE-2022-30550) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30550 https://dovecot.org/pipermail/dovecot-news/2022-July/000477.html https://ubuntu.com/security/notices/USN-5509-1 https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/532QM5GABOZURM72SXKWEPBBQKUHLQC3/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/OQ5EW32AQSRSHPFQZM5W3PEYEKPBKGNA/ ======================== Updated packages in core/updates_testing: ======================== dovecot-2.3.17.1-1.2.mga8 dovecot-devel-2.3.17.1-1.2.mga8 dovecot-pigeonhole-2.3.17.1-1.2.mga8 dovecot-pigeonhole-devel-2.3.17.1-1.2.mga8 dovecot-plugins-gssapi-2.3.17.1-1.2.mga8 dovecot-plugins-ldap-2.3.17.1-1.2.mga8 dovecot-plugins-mysql-2.3.17.1-1.2.mga8 dovecot-plugins-pgsql-2.3.17.1-1.2.mga8 dovecot-plugins-sqlite-2.3.17.1-1.2.mga8 from SRPM: dovecot-2.3.17.1-1.2.mga8.src.rpm
Status comment: Patch available from upstream => (none)Assignee: smelror => qa-bugsCVE: (none) => CVE-2022-30550CC: (none) => nicolas.salgueroStatus: NEW => ASSIGNEDSource RPM: dovecot-2.3.19.1-1.mga9.src.rpm => dovecot-2.3.17.1-1.1.mga8.src.rpmVersion: Cauldron => 8Whiteboard: MGA8TOO => (none)
No regressions noticed. Validating.
Whiteboard: (none) => MGA8-64-OKKeywords: (none) => validated_updateCC: (none) => davidwhodgins, sysadmin-bugs
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0296.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED