Debian Bug report logs -
#1016351
dovecot: CVE-2022-30550
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Dovecot Maintainers <dovecot@packages.debian.org>:
Bug#1016351; Package src:dovecot.
(Fri, 29 Jul 2022 20:51:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Dovecot Maintainers <dovecot@packages.debian.org>.
(Fri, 29 Jul 2022 20:51:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: dovecot
X-Debbugs-CC: team@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerability was published for dovecot.
CVE-2022-30550[0]:
| An issue was discovered in the auth component in Dovecot 2.2 and 2.3
| before 2.3.20. When two passdb configuration entries exist with the
| same driver and args settings, incorrect username_filter and mechanism
| settings can be applied to passdb definitions. These incorrectly
| applied settings can lead to an unintended security configuration and
| can permit privilege escalation in certain configurations. The
| documentation does not advise against the use of passdb definitions
| that have the same driver and args settings. One such configuration
| would be where an administrator wishes to use the same PAM
| configuration or passwd file for both normal and master users but use
| the username_filter setting to restrict which of the users is able to
| be a master user.
https://www.openwall.com/lists/oss-security/2022/07/06/9
https://github.com/dovecot/core/commit/7bad6a24160e34bce8f10e73dbbf9e5fbbcd1904
https://github.com/dovecot/core/commit/a1022072e2ce36f853873d910287f466165b184b
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-30550
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30550
Please adjust the affected versions in the BTS as needed.
Information forwarded
to debian-bugs-dist@lists.debian.org, Dovecot Maintainers <dovecot@packages.debian.org>:
Bug#1016351; Package src:dovecot.
(Fri, 29 Jul 2022 22:21:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Noah Meyerhans <frodo@morgul.net>:
Extra info received and forwarded to list. Copy sent to Dovecot Maintainers <dovecot@packages.debian.org>.
(Fri, 29 Jul 2022 22:21:04 GMT) (full text, mbox, link).
Message #10 received at 1016351@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Control: tags -1 + pending
The fix targeting sid is pending review on salsa.
My inclination is that this won't need a DSA and can wait for a bullseye point release, but I'm open to other opinions.
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
[Message part 2 (text/html, inline)]
Added tag(s) pending.
Request was from Noah Meyerhans <frodo@morgul.net>
to 1016351-submit@bugs.debian.org.
(Fri, 29 Jul 2022 22:21:04 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sat Jul 30 13:17:07 2022;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon