On 2.9.2019 12.51, MK via dovecot wrote: >>> On 2 Sep 2019, at 11.01, MK via dovecot <dovecot@dovecot.org> wrote: >>> >>> Good Morning List, >>> >>> just a short question to this vulnerability. We are using a setup with >>> dovecot redirector/proxy frontend servers >>> and some backend server, which store the mailboxes. >>> Is it anough to update the frontend servers if I like to fix the the >>> vulnerability? >> No. >> >> Sami > Thanks. Do I understand this correct that updating the frontends fixes only > the vulnerability for anonymous requests > and for users logged in the vulnerability still exists if I don't update the > backend servers? > > Oliver >
You are correct. After authentication proxies & directors will forward data as-is to backend, which leaves you vulnerable to post-auth vulnerability. Aki
