Bug 30618 - dovecot new security issue CVE-2022-30550
Summary: dovecot new security issue CVE-2022-30550
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2022-07-08 20:24 CEST by David Walser
Modified: 2022-08-25 23:22 CEST (History)
4 users (show)

See Also:
Source RPM: dovecot-2.3.17.1-1.1.mga8.src.rpm
CVE: CVE-2022-30550
Status comment:


Attachments

Description David Walser 2022-07-08 20:24:47 CEST
Dovecot has issued an advisory on July 6:
https://dovecot.org/pipermail/dovecot-news/2022-July/000477.html

The upstream commit that fixed the issue is linked in the message above.

Mageia 8 is also affected.
David Walser 2022-07-08 20:25:03 CEST

Status comment: (none) => Patch available from upstream
Whiteboard: (none) => MGA8TOO

Comment 1 Marja Van Waes 2022-07-10 16:50:16 CEST
There's no registered maintainer for dovecot, but kekepower pushed the package several times.

@ kekepower

If you don't agree with the assignment, then please assign it back to BugSquad or else to all packagers collectively (pkg-bugs@ml.mageia.org)

Assignee: bugsquad => smelror
CC: (none) => marja11

Comment 2 David Walser 2022-07-11 19:31:44 CEST
Ubuntu has issued an advisory for this today (July 11):
https://ubuntu.com/security/notices/USN-5509-1

Severity: normal => major

Comment 3 David Walser 2022-07-20 15:49:10 CEST
openSUSE has issued an advisory for this today (July 20):
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/532QM5GABOZURM72SXKWEPBBQKUHLQC3/
Comment 4 David Walser 2022-08-03 01:07:44 CEST
Fedora has issued an advisory for this today (August 2):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/OQ5EW32AQSRSHPFQZM5W3PEYEKPBKGNA/
Comment 5 Nicolas Salguero 2022-08-23 11:34:13 CEST
Suggested advisory:
========================

The updated packages fix a security vulnerability:

An issue was discovered in the auth component in Dovecot 2.2 and 2.3 before 2.3.20. When two passdb configuration entries exist with the same driver and args settings, incorrect username_filter and mechanism settings can be applied to passdb definitions. These incorrectly applied settings can lead to an unintended security configuration and can permit privilege escalation in certain configurations. The documentation does not advise against the use of passdb definitions that have the same driver and args settings. One such configuration would be where an administrator wishes to use the same PAM configuration or passwd file for both normal and master users but use the username_filter setting to restrict which of the users is able to be a master user. (CVE-2022-30550)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30550
https://dovecot.org/pipermail/dovecot-news/2022-July/000477.html
https://ubuntu.com/security/notices/USN-5509-1
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/532QM5GABOZURM72SXKWEPBBQKUHLQC3/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/OQ5EW32AQSRSHPFQZM5W3PEYEKPBKGNA/
========================

Updated packages in core/updates_testing:
========================
dovecot-2.3.17.1-1.2.mga8
dovecot-devel-2.3.17.1-1.2.mga8
dovecot-pigeonhole-2.3.17.1-1.2.mga8
dovecot-pigeonhole-devel-2.3.17.1-1.2.mga8
dovecot-plugins-gssapi-2.3.17.1-1.2.mga8
dovecot-plugins-ldap-2.3.17.1-1.2.mga8
dovecot-plugins-mysql-2.3.17.1-1.2.mga8
dovecot-plugins-pgsql-2.3.17.1-1.2.mga8
dovecot-plugins-sqlite-2.3.17.1-1.2.mga8

from SRPM:
dovecot-2.3.17.1-1.2.mga8.src.rpm

Status comment: Patch available from upstream => (none)
Assignee: smelror => qa-bugs
CVE: (none) => CVE-2022-30550
CC: (none) => nicolas.salguero
Status: NEW => ASSIGNED
Source RPM: dovecot-2.3.19.1-1.mga9.src.rpm => dovecot-2.3.17.1-1.1.mga8.src.rpm
Version: Cauldron => 8
Whiteboard: MGA8TOO => (none)

Comment 6 Dave Hodgins 2022-08-24 22:33:23 CEST
No regressions noticed. Validating.

Whiteboard: (none) => MGA8-64-OK
Keywords: (none) => validated_update
CC: (none) => davidwhodgins, sysadmin-bugs

Dave Hodgins 2022-08-24 22:53:17 CEST

Keywords: (none) => advisory

Comment 7 Mageia Robot 2022-08-25 23:22:48 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0296.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.