Bug#860049: dovecot-core 1:2.2.13-12~deb8u2 (fix for bug 860049) seems to break dovecot dict key interpolation entirely

2017-04-11 Thread Aki Tuomi
On 11.04.2017 11:04, Apollon Oikonomopoulos wrote: > Hi, > > On 09:00 Tue 11 Apr , Salvatore Bonaccorso wrote: >> So the problem is present, and was a quite bad mistake on my end. Aki >> tracked it down, and although the patch applies back to 2.2.10 the >> vulnerability itself was only introd

Bug#860049: dovecot-core 1:2.2.13-12~deb8u2 (fix for bug 860049) seems to break dovecot dict key interpolation entirely

2017-04-11 Thread Apollon Oikonomopoulos
Hi, On 09:00 Tue 11 Apr , Salvatore Bonaccorso wrote: > So the problem is present, and was a quite bad mistake on my end. Aki > tracked it down, and although the patch applies back to 2.2.10 the > vulnerability itself was only introduced with > https://github.com/dovecot/core/commit/a3783f8a3c

Bug#860049: dovecot-core 1:2.2.13-12~deb8u2 (fix for bug 860049) seems to break dovecot dict key interpolation entirely

2017-04-11 Thread Salvatore Bonaccorso
Hi Apollon, On Tue, Apr 11, 2017 at 09:12:38AM +0300, Apollon Oikonomopoulos wrote: > Hi Salvatore, > > On 06:33 Tue 11 Apr , Salvatore Bonaccorso wrote: > > Timo and Aki, attached is the patch used for the version in Debian > > Jessie. > > > > Did I misss something obvious with backporting

Bug#860049: dovecot-core 1:2.2.13-12~deb8u2 (fix for bug 860049) seems to break dovecot dict key interpolation entirely

2017-04-10 Thread Aki Tuomi
On 11.04.2017 07:33, Salvatore Bonaccorso wrote: > Hi Nick, > > On Tue, Apr 11, 2017 at 01:19:11AM +0100, Nick Thomas wrote: >> Hi, >> >> dovecot-core/1:2.2.13-12~deb8u2 with a dict-based userdb or passdb no >> longer interprets placeholders like %u in the keys even once. >> >> The referenced com

Bug#860049: dovecot-core 1:2.2.13-12~deb8u2 (fix for bug 860049) seems to break dovecot dict key interpolation entirely

2017-04-10 Thread Apollon Oikonomopoulos
Hi Salvatore, On 06:33 Tue 11 Apr , Salvatore Bonaccorso wrote: > Timo and Aki, attached is the patch used for the version in Debian > Jessie. > > Did I misss something obvious with backporting the commit to 2.2.13? > > Regards, > Salvatore > From 30feb7a30f193197f1aab8a7b04a26b42735 Mo

Bug#860049: dovecot-core 1:2.2.13-12~deb8u2 (fix for bug 860049) seems to break dovecot dict key interpolation entirely

2017-04-10 Thread Salvatore Bonaccorso
Hi Nick, On Tue, Apr 11, 2017 at 01:19:11AM +0100, Nick Thomas wrote: > Hi, > > dovecot-core/1:2.2.13-12~deb8u2 with a dict-based userdb or passdb no > longer interprets placeholders like %u in the keys even once. > > The referenced commit claims to prevent double-parsing in a situation > like t

Bug#860049: dovecot-core 1:2.2.13-12~deb8u2 (fix for bug 860049) seems to break dovecot dict key interpolation entirely

2017-04-10 Thread Nick Thomas
Hi, dovecot-core/1:2.2.13-12~deb8u2 with a dict-based userdb or passdb no longer interprets placeholders like %u in the keys even once. The referenced commit claims to prevent double-parsing in a situation like this: username: fo...@example.com config file: ``` key userdb {   key = userdb/%u