Source: dovecot X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security
Hi, The following vulnerability was published for dovecot. CVE-2022-30550[0]: | An issue was discovered in the auth component in Dovecot 2.2 and 2.3 | before 2.3.20. When two passdb configuration entries exist with the | same driver and args settings, incorrect username_filter and mechanism | settings can be applied to passdb definitions. These incorrectly | applied settings can lead to an unintended security configuration and | can permit privilege escalation in certain configurations. The | documentation does not advise against the use of passdb definitions | that have the same driver and args settings. One such configuration | would be where an administrator wishes to use the same PAM | configuration or passwd file for both normal and master users but use | the username_filter setting to restrict which of the users is able to | be a master user. https://www.openwall.com/lists/oss-security/2022/07/06/9 https://github.com/dovecot/core/commit/7bad6a24160e34bce8f10e73dbbf9e5fbbcd1904 https://github.com/dovecot/core/commit/a1022072e2ce36f853873d910287f466165b184b If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-30550 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30550 Please adjust the affected versions in the BTS as needed.