#11635: dovecot-2.3.4.1
-------------------------+------------------------
Reporter: bdubbs | Owner: blfs-book
Type: enhancement | Status: new
Priority: normal | Milestone: 8.4
Component: BOOK | Version: SVN
Severity: normal | Resolution:
Keywords: |
-------------------------+------------------------
Comment (by bdubbs):
v2.3.4.1 2019-02-05
* CVE-2019-3814: If imap/pop3/managesieve/submission client has
trusted certificate with missing username field
(ssl_cert_username_field), under some configurations Dovecot
mistakenly trusts the username provided via authentication instead
of failing.
* ssl_cert_username_field setting was ignored with external SMTP AUTH,
because none of the MTAs (Postfix, Exim) currently send the
cert_username field. This may have allowed users with trusted
certificate to specify any username in the authentication. This bug
didn't affect Dovecot's Submission service.
--
Ticket URL: <http://wiki.linuxfromscratch.org/blfs/ticket/11635#comment:1>
BLFS Trac <http://wiki.linuxfromscratch.org/blfs>
Beyond Linux From Scratch
--
http://lists.linuxfromscratch.org/listinfo/blfs-book
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page
