What? No user serviceable parts inside your car? It's a federal felony to raise the hood for any reason. You've got to see an authorized dealer or a professional mechanic for every little thing on a used car because cars are closed source proprietary and it's illegal to circumvent anything etc. Elon Musk is hard at work.
On July 7, 2022 12:59:13 PM AKDT, Noel Butler <noel.but...@ausics.net> wrote: >On 07/07/2022 07:24, Aki Tuomi wrote: > >>> On 06/07/2022 16:54 EEST Aki Tuomi via Dovecot-news >>> <dovecot-n...@dovecot.org> wrote: >>> >>> Affected product: Dovecot IMAP Server >>> Internal reference: DOV-5320 >>> Vulnerability type: Improper Access Control (CWE-284) >>> Vulnerable version: 2.2 >>> Vulnerable component: submission >>> Report confidence: Confirmed >>> Solution status: Fixed in main >>> Researcher credits: Julian Brook (julezman) >>> Vendor notification: 2022-05-06 >>> CVE reference: CVE-2022-30550 >>> CVSS: 6.8 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N) >>> >>> Vulnerability Details: >>> When two passdb configuration entries exist in Dovecot configuration, which >>> have the same driver and args settings, the incorrect username_filter and >>> mechanism settings can be applied to passdb definitions. These incorrectly >>> applied settings can lead to an unintended security configuration and can >>> permit privilege escalation with certain configurations involving master >>> user authentication. >>> >>> Dovecot documentation does not advise against the use of passdb definitions >>> which have the same driver and args settings. One such configuration would >>> be where an administrator wishes to use the same pam configuration or >>> passwd file for both normal and master users but use the username_filter >>> setting to restrict which of the users is able to be a master user. >>> >>> Risk: >>> If same passwd file or PAM is used for both normal and master users, it is >>> possible for attacker to become master user. >>> >>> Workaround: >>> Always authenticate master users from different source than regular users, >>> e.g. using a separate passwd file. Alternatively, you can use global ACLs >>> to ensure that only legimate master users have priviledged access. >>> >>> Fix: >>> This has been fixed in main branch. See >>> https://github.com/dovecot/core/compare/7bad6a24%5E..a1022072.patch >> >> Two small corrections to this CVE notice... The service impacted is of >> course 'auth' not 'submission', and the version impacted is from 2.2 to >> 2.3.19.1. >> >> Aki > >I wouldnt exactly call them " small " corrections > >its like saying the left window on your 2020 car can be pushed down easily to >saying oh wait its every window and you dont need a key to start the engine >and btw its all cars from 2010 to 2022 > >And if its that serious where is the release, thats how dealing with CVE's >works Aki, not a CVE statement saying go to gitbub. > >That said, I'd assume everyone uses a separate db for support teams anyway, or >I'd hope so/ > >-- >Regards, >Noel Butler > >This Email, including attachments, may contain legally privileged information, >therefore at all times remains confidential and subject to copyright protected >under international law. You may not disseminate this message without the >authors express written authority to do so. If you are not the intended >recipient, please notify the sender then delete all copies of this message >including attachments immediately. Confidentiality, copyright, and legal >privilege are not waived or lost by reason of the mistaken delivery of this >message. -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
