"Vulnerability Details: When two passdb configuration entries exist in Dovecot configuration, which have the same driver and args settings, the incorrect username_filter and mechanism settings can be applied to passdb definitions. These incorrectly applied settings can lead to an unintended security configuration and can permit privilege escalation with certain configurations involving master user authentication. Dovecot documentation does not advise against the use of passdb definitions which have the same driver and args settings. One such configuration would be where an administrator wishes to use the same pam configuration or passwd file for both normal and master users but use the username_filter setting to restrict which of the users is able to be a master user." Patches: https://github.com/dovecot/core/commit/7bad6a24160e34bce8f10e73dbbf9e5fbbcd1904 https://github.com/dovecot/core/commit/a1022072e2ce36f853873d910287f466165b184b
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=921f6d327e0d44ef9967b684763e6794ee818757 commit 921f6d327e0d44ef9967b684763e6794ee818757 Author: Eray Aslan <eras@gentoo.org> AuthorDate: 2022-07-08 06:11:58 +0000 Commit: Eray Aslan <eras@gentoo.org> CommitDate: 2022-07-08 06:11:58 +0000 net-mail/dovecot: security bump Bug: https://bugs.gentoo.org/856733 Signed-off-by: Eray Aslan <eras@gentoo.org> net-mail/dovecot/dovecot-2.3.19.1-r1.ebuild | 303 ++++++++++++++++++++++++++++ net-mail/dovecot/files/CVE-2022-30550.patch | 155 ++++++++++++++ 2 files changed, 458 insertions(+)
Thanks!
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=33894390c6b3e33c46ff367ae4f4bcf40c452be8 commit 33894390c6b3e33c46ff367ae4f4bcf40c452be8 Author: Eray Aslan <eras@gentoo.org> AuthorDate: 2022-07-11 04:28:17 +0000 Commit: Eray Aslan <eras@gentoo.org> CommitDate: 2022-07-11 04:29:08 +0000 net-mail/dovecot: drop 2.3.18-r1, 2.3.19.1 Bug: https://bugs.gentoo.org/856733 Signed-off-by: Eray Aslan <eras@gentoo.org> net-mail/dovecot/Manifest | 2 - net-mail/dovecot/dovecot-2.3.18-r1.ebuild | 307 ------------------------------ net-mail/dovecot/dovecot-2.3.19.1.ebuild | 302 ----------------------------- 3 files changed, 611 deletions(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=058e33169cc7ca6d243632e76717c25d3f62381a commit 058e33169cc7ca6d243632e76717c25d3f62381a Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2023-10-30 09:51:47 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2023-10-30 09:52:27 +0000 [ GLSA 202310-19 ] Dovecot: Privilege Escalation Bug: https://bugs.gentoo.org/856733 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202310-19.xml | 44 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+)
