Your message dated Sun, 31 Jul 2022 15:50:00 +0000
with message-id <e1oibca-001ga4...@fasolo.debian.org>
and subject line Bug#1016351: fixed in dovecot 1:2.3.19.1+dfsg1-2
has caused the Debian Bug report #1016351,
regarding dovecot: CVE-2022-30550
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1016351: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1016351
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: dovecot
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerability was published for dovecot.
CVE-2022-30550[0]:
| An issue was discovered in the auth component in Dovecot 2.2 and 2.3
| before 2.3.20. When two passdb configuration entries exist with the
| same driver and args settings, incorrect username_filter and mechanism
| settings can be applied to passdb definitions. These incorrectly
| applied settings can lead to an unintended security configuration and
| can permit privilege escalation in certain configurations. The
| documentation does not advise against the use of passdb definitions
| that have the same driver and args settings. One such configuration
| would be where an administrator wishes to use the same PAM
| configuration or passwd file for both normal and master users but use
| the username_filter setting to restrict which of the users is able to
| be a master user.
https://www.openwall.com/lists/oss-security/2022/07/06/9
https://github.com/dovecot/core/commit/7bad6a24160e34bce8f10e73dbbf9e5fbbcd1904
https://github.com/dovecot/core/commit/a1022072e2ce36f853873d910287f466165b184b
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-30550
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30550
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: dovecot
Source-Version: 1:2.3.19.1+dfsg1-2
Done: Noah Meyerhans <no...@debian.org>
We believe that the bug you reported is fixed in the latest version of
dovecot, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1016...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Noah Meyerhans <no...@debian.org> (supplier of updated dovecot package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 29 Jul 2022 19:58:28 -0700
Source: dovecot
Architecture: source
Version: 1:2.3.19.1+dfsg1-2
Distribution: unstable
Urgency: medium
Maintainer: Dovecot Maintainers <dove...@packages.debian.org>
Changed-By: Noah Meyerhans <no...@debian.org>
Closes: 1016351
Changes:
dovecot (1:2.3.19.1+dfsg1-2) unstable; urgency=medium
.
[ Christian Göttsche ]
* [281fb2c] d/patches: cherry-pick fix for CVE-2022-30550 (Closes: #1016351)
* [9c58e71] d/patches: fix uninitialized read in doveadm-oldstats
* [a76a24d] d/control: bump to standards version 4.6.1 (no further changes)
* [4aaaa8b] Update Lintian overrides
Checksums-Sha1:
31bb8098be9a609789affa5b7154d6c168432b55 4166 dovecot_2.3.19.1+dfsg1-2.dsc
47bc3b42f589a8d8d8d4ec16d9da7034ab1b1a61 66520
dovecot_2.3.19.1+dfsg1-2.debian.tar.xz
ad0c15f7863d08bae308f57c7acda41c01b94008 6604
dovecot_2.3.19.1+dfsg1-2_source.buildinfo
Checksums-Sha256:
6e15dc020d274aca8f41e48343b43dd8a64b66d324c3e90d92cc983890695b5b 4166
dovecot_2.3.19.1+dfsg1-2.dsc
7a78adcda069dffce100493fd8d3694a365196d45e07e6e70edb057f0554dbff 66520
dovecot_2.3.19.1+dfsg1-2.debian.tar.xz
21e518bfdbd4ac5c54af8bb77d29b86e3f84b158b734ff91e11e4695e8b06ff8 6604
dovecot_2.3.19.1+dfsg1-2_source.buildinfo
Files:
5e264255ec5446244dfac108b73422f9 4166 mail optional
dovecot_2.3.19.1+dfsg1-2.dsc
220f86a6490766d171172d793b2a445d 66520 mail optional
dovecot_2.3.19.1+dfsg1-2.debian.tar.xz
e3405073d715f530a59341776b687bc2 6604 mail optional
dovecot_2.3.19.1+dfsg1-2_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJFBAEBCgAvFiEE5G+E0xEKhJuZ7RJ34+c1IpshdTUFAmLmouMRHG5vYWhtQGRl
Ymlhbi5vcmcACgkQ4+c1IpshdTXynA/+OVUn24/VK7/mkAk8BjtYjbXzZkxR9hjj
MxLDdypdQ8QLaeIDxLYX/98KSYu+vR6v4W3AyyP4V4HAJdhnv14XOxluZyXb7+Mk
6SKzy6D8gRCSDTQvqfAWfkZz0uL9ujTgf9eRuho1C530Oonh32bKZQNfW43EhrSa
ZHOuNJOS7Kcgg+l1HuEeC8AYPaibarm426tdcqBM/1yo4LmksGJo9lCiQVOffvtL
2ZzLJsmDKmAsjd2l9CrxhALhrUXJIa0nOiX5Nb7Sa/e7Cr59bQhSaDOIkO6NbNMz
NJKqSh/FtUl1iEubJmUWdhu7N6x4iY5MFwWvsWn+cB+qPKy757vF8+osvTmjp+F1
3P7p8MzLFoApzCd3XsZzvw8KKSfbE35hEPncb0dTAhrMADe9ZKYqPcADSIB0mSDP
fN8EOdDjyctnE7sEnybuSeZVQ5hpyS3RoeUY3zflPt+7yqUmdoyOKbY7GtAnJfJX
FBDbM1B2FQ/dD/+hZO90wWgxlx0KtUdqdjC2WTIvbKCoruu82EHUOubgLn9qsYYs
4Lynw7SMg/wxAcDR7+xveRl9OedbQnigiECF2VLPMGTAPWN19OKNrlv7mJgqgPum
dAgZhzM5xAZwrhWz+mAtwr4e2OcBDq2v+Dba1jSMXYHhwYe5DoDQMRQfEIwIGHi9
zT38IpJ+9BM=
=qcJi
-----END PGP SIGNATURE-----
--- End Message ---
