Adsons

    ArchLinux: 201902-1: dovecot: authentication bypass

    Date11 Feb 2019
    CategoryArchLinux
    206
    Posted ByLinuxSecurity Advisories
    The package dovecot before version 2.3.4.1-1 is vulnerable to authentication bypass.
    Arch Linux Security Advisory ASA-201902-1
    =========================================
    
    Severity: High
    Date    : 2019-02-06
    CVE-ID  : CVE-2019-3814
    Package : dovecot
    Type    : authentication bypass
    Remote  : Yes
    Link    : https://security.archlinux.org/AVG-872
    
    Summary
    =======
    
    The package dovecot before version 2.3.4.1-1 is vulnerable to
    authentication bypass.
    
    Resolution
    ==========
    
    Upgrade to 2.3.4.1-1.
    
    # pacman -Syu "dovecot>=2.3.4.1-1"
    
    The problem has been fixed upstream in version 2.3.4.1.
    
    Workaround
    ==========
    
    None.
    
    Description
    ===========
    
    A vulnerability has been found in Dovecot versions prior to 2.3.4.1,
    allowing a remote client in possession of a trusted SSL certificate to
    log in as any user, in some configurations.
    This affects only installations using auth_ssl_require_client_cert =
    yes and auth_ssl_username_from_cert = yes, and the the attacker might
    have access to a trusted certificate without the
    ssl_cert_username_field (default to commonName) set in it.
    
    Impact
    ======
    
    A remote client in possession of a trusted SSL certificate might be
    able to log in as any user.
    
    References
    ==========
    
    https://www.dovecot.org/pipermail/dovecot/2019-February/114575.html
    https://github.com/dovecot/core/commit/61471a5c42528090cffcca9bceded316746637b7
    https://security.archlinux.org/CVE-2019-3814
    
    

    Comments powered by CComment

    Sidebar Ad

    LinuxSecurity Poll

    Does your company/organization utilize open-source software?

    Message!

    Poll results are hidden from public viewing.

    You are not authorized to vote on this poll.

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 2 answer(s).
    /component/communitypolls/?task=poll.vote
    5
    radio
    bottom200