Product: Dovecot Vendor: Open-Xchange Oy Internal reference: DOV-2890 (Bug ID) Vulnerability type: Improper Authentication - Generic (CWE287) Vulnerable versions: 1.1.0 - 2.2.36 and 2.3.0 - 2.3.4 Vulnerable component: authentication Report confidence: Confirmed Solution status: Fixed by Vendor Fixed versions: 2.2.36.1, 2.3.4.1 Vendor notification: 2019-01-16 Solution date: 2019-01-20 Public disclosure: 2019-02-05 Researcher Credits: https://hackerone.com/halfdog CVE reference: CVE-2019-3814 CVSS: 8.2 (AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N) Vulnerability Details: Normally Dovecot is configured to authenticate imap/pop3/managesieve/submission clients using regular username/password combination. Some installations have also required clients to present a trusted SSL certificate on top of that. It's also possible to configure Dovecot to take the username from the certificate instead of from the user provided authentication. It's also possible to avoid having a password at all, only trusting the SSL certificate. If the provided trusted SSL certificate is missing the username field, Dovecot should be failing the authentication. However, the earlier versions will take the username from the user provided authentication fields (e.g. LOGIN command). If there is no additional password verification, this allows the attacker to login as anyone else in the system. ...
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1ed10b03e89977986561e20a4bd53b5273b5272a commit 1ed10b03e89977986561e20a4bd53b5273b5272a Author: Eray Aslan <eras@gentoo.org> AuthorDate: 2019-02-07 05:57:25 +0000 Commit: Eray Aslan <eras@gentoo.org> CommitDate: 2019-02-07 05:58:27 +0000 net-mail/dovecot: security bump to 2.3.4.1 Bug: https://bugs.gentoo.org/677350 Package-Manager: Portage-2.3.59, Repoman-2.3.12 Signed-off-by: Eray Aslan <eras@gentoo.org> net-mail/dovecot/Manifest | 1 + net-mail/dovecot/dovecot-2.3.4.1.ebuild | 293 ++++++++++++++++++++++++++++++++ 2 files changed, 294 insertions(+)
Time to stabilize?
@maintainer, which version do you want to stabilize here? 2.3.5.1 is stable on most already... just need to pickup alpha and s390.
We should go with stabilizing net-mail/dovecot-2.3.5.1 at bug #681922
This issue was resolved and addressed in GLSA 201904-19 at https://security.gentoo.org/glsa/201904-19 by GLSA coordinator Aaron Bauman (b-man).