Your message dated Sun, 14 Aug 2022 15:47:08 +0000
with message-id <e1onfpu-00bftu...@fasolo.debian.org>
and subject line Bug#1016351: fixed in dovecot 1:2.3.13+dfsg1-2+deb11u1
has caused the Debian Bug report #1016351,
regarding dovecot: CVE-2022-30550
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1016351: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1016351
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: dovecot
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerability was published for dovecot.
CVE-2022-30550[0]:
| An issue was discovered in the auth component in Dovecot 2.2 and 2.3
| before 2.3.20. When two passdb configuration entries exist with the
| same driver and args settings, incorrect username_filter and mechanism
| settings can be applied to passdb definitions. These incorrectly
| applied settings can lead to an unintended security configuration and
| can permit privilege escalation in certain configurations. The
| documentation does not advise against the use of passdb definitions
| that have the same driver and args settings. One such configuration
| would be where an administrator wishes to use the same PAM
| configuration or passwd file for both normal and master users but use
| the username_filter setting to restrict which of the users is able to
| be a master user.
https://www.openwall.com/lists/oss-security/2022/07/06/9
https://github.com/dovecot/core/commit/7bad6a24160e34bce8f10e73dbbf9e5fbbcd1904
https://github.com/dovecot/core/commit/a1022072e2ce36f853873d910287f466165b184b
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-30550
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30550
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: dovecot
Source-Version: 1:2.3.13+dfsg1-2+deb11u1
Done: Noah Meyerhans <no...@debian.org>
We believe that the bug you reported is fixed in the latest version of
dovecot, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1016...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Noah Meyerhans <no...@debian.org> (supplier of updated dovecot package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 31 Jul 2022 17:47:06 -0700
Source: dovecot
Architecture: source
Version: 1:2.3.13+dfsg1-2+deb11u1
Distribution: bullseye
Urgency: medium
Maintainer: Dovecot Maintainers <dove...@packages.debian.org>
Changed-By: Noah Meyerhans <no...@debian.org>
Closes: 1016351
Changes:
dovecot (1:2.3.13+dfsg1-2+deb11u1) bullseye; urgency=medium
.
* [4b5dac8] d/patches: cherry-pick fix for CVE-2022-30550 (Closes: #1016351)
* [597ba7f] salsa-ci: build with bullseye
Checksums-Sha1:
13ba325dee85fed3e72e9c588f0d339c09eb8476 4023
dovecot_2.3.13+dfsg1-2+deb11u1.dsc
0dc66ac9d4e655868f611322c6dfb71acb93f434 68252
dovecot_2.3.13+dfsg1-2+deb11u1.debian.tar.xz
1d00d8696aa8bdcca05fc8978869e504b600aeba 6599
dovecot_2.3.13+dfsg1-2+deb11u1_source.buildinfo
Checksums-Sha256:
0fd625d6fc5aa212e137c45d55ea5ee867227ab82350ada59e35801549cde352 4023
dovecot_2.3.13+dfsg1-2+deb11u1.dsc
2001b0f1c0472ec63e56f2df4fba6ce8ed515b8a083c82949aea90b27dbb4b67 68252
dovecot_2.3.13+dfsg1-2+deb11u1.debian.tar.xz
e1cb2a9be9637a65f408fa56dbc028ee562d980b2264ba21fb66040b9a6a331d 6599
dovecot_2.3.13+dfsg1-2+deb11u1_source.buildinfo
Files:
b1ed9ae5152ba80cff6c4c945c5461ce 4023 mail optional
dovecot_2.3.13+dfsg1-2+deb11u1.dsc
aa52811dc3bb9ed9663b3e59c78bd019 68252 mail optional
dovecot_2.3.13+dfsg1-2+deb11u1.debian.tar.xz
f7efd866d2158c189e28fb6623860dc7 6599 mail optional
dovecot_2.3.13+dfsg1-2+deb11u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJFBAEBCAAvFiEE5G+E0xEKhJuZ7RJ34+c1IpshdTUFAmL4U0IRHG5vYWhtQGRl
Ymlhbi5vcmcACgkQ4+c1IpshdTVe9g//e/tEecPN4lXIQHMwWUkcCmd999R8izAJ
ocD80WWA06l3pUTQkNmkG0PdKGOvwH9DqUQodaCnOB12FKibDf/5rJIJvl2e6zLz
fW5aw19fuvX9tJ44cksV/8oViOQmUfGtiLUrNqAHbL1hypCEXgJ3VB4VEMLc6u6A
nfh19TkcZxXees/CcEs7Qv5HmxM2XQlvG3aPZ6GKJ3tXCY46NbQKH6bh9Y4FX+mL
qAm+ZrVaT+vKSBO0h30hw9pVZ7MwEpa7uqdgeW9JQMM/pXtZI786VgGRCtjdFero
SSQxmSKh9UVx5YpHtMiSF7v/8WSlHGgZg2mIVfnQGXuBDepcXVsQ9yrD2fqrYy1G
Ci7cuAaawpu+g01VdbbuLyUa2JHIQw9eXyWL+JgLYITxt/NOX3tUh4cCsBT2t7eB
iaPCrvXcDeFvyabQ6XEKQNh0L8nIN+vCt+cYFx9WISPrbW+uq/EnFuP2Zv8TYb01
iplksHCY6HSQghbTsYt4tjK2HQmpS/qT+O82KqYMwE5GRkCVUu8jtOJq1Ue39x4e
N/DYtlszAELmXy5vaQo2YOjuBX1f+ATBVMZXtLw/BNOBLNDlV7RPsXKQ+qpQsXeV
zYYYl6DrDIGqcpbGol9OyOPrw0DB37P4at/VbdTWA7IO/fbE6TMa3Pr++ujFdsld
AyUxjxG7OBg=
=/zbq
-----END PGP SIGNATURE-----
--- End Message ---
