Package: release.debian.org Severity: normal Tags: buster User: release.debian....@packages.debian.org Usertags: pu
Hi, cyrus-imapd is vulnerable to CVE-2019-18928: privilege escalation on HTTP request. This is a minor vulnerability since authentication is already vulnerable when using non-SSL connection. However, this little patch fixes the problem. Cheers, Xavier
diff --git a/debian/changelog b/debian/changelog index 8023011..b011c8f 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +cyrus-imapd (3.0.8-6+deb10u2) buster; urgency=high + + * Fix privilege escalation on HTTP request (Closes: CVE-2019-18928) + + -- Xavier Guimard <y...@debian.org> Tue, 19 Nov 2019 22:21:32 +0100 + cyrus-imapd (3.0.8-6+deb10u1) buster; urgency=medium * Add patch to fix data loss on upgrade from versions ≤ 3.0.0 diff --git a/debian/patches/CVE-2019-18928.patch b/debian/patches/CVE-2019-18928.patch new file mode 100644 index 0000000..41bbad8 --- /dev/null +++ b/debian/patches/CVE-2019-18928.patch @@ -0,0 +1,38 @@ +Description: fix privilege escalation + Only allow reuse of auth creds on a persistent connection against a backend + server in a Murder +Author: Ken Murchison <mu...@fastmail.com> +Origin: upstream, https://github.com/cyrusimap/cyrus-imapd/commit/e675bf7 +Bug: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18928 +Forwarded: not-needed +Reviewed-By: Xavier Guimard <y...@debian.org> +Last-Update: 2019-11-19 + +--- a/imap/httpd.c ++++ b/imap/httpd.c +@@ -1729,6 +1729,25 @@ + txn->auth_chal.scheme = NULL; + } + ++ /* Drop auth credentials, if not a backend in a Murder */ ++ else if (!config_mupdate_server || !config_getstring(IMAPOPT_PROXYSERVERS)) { ++ syslog(LOG_DEBUG, "drop auth creds"); ++ ++ free(httpd_userid); ++ httpd_userid = NULL; ++ ++ free(httpd_extrafolder); ++ httpd_extrafolder = NULL; ++ ++ free(httpd_extradomain); ++ httpd_extradomain = NULL; ++ ++ if (httpd_authstate) { ++ auth_freestate(httpd_authstate); ++ httpd_authstate = NULL; ++ } ++ } ++ + /* Perform proxy authorization, if necessary */ + else if (saslprops.authid && + (hdr = spool_getheader(txn->req_hdrs, "Authorize-As")) && diff --git a/debian/patches/series b/debian/patches/series index e9631e4..c66f980 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -23,3 +23,4 @@ 0023-fix-memory-leak-on-ldap-failure.patch CVE-2019-11356.patch 0024-dont-skip-records-with-modseq-0.patch +CVE-2019-18928.patch