Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 05 Feb 2019 13:49:13 +0000
From:      bugzilla-noreply@freebsd.org
To:        ports-bugs@FreeBSD.org
Subject:   [Bug 235523] mail/dovecot: Update to 2.3.4.1 (CVE-2019-3814)
Message-ID:  <bug-235523-7788@https.bugs.freebsd.org/bugzilla/>

next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D235523

            Bug ID: 235523
           Summary: mail/dovecot: Update to 2.3.4.1 (CVE-2019-3814)
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
                OS: Any
            Status: New
          Keywords: security
          Severity: Affects Many People
          Priority: ---
         Component: Individual Port(s)
          Assignee: ler@FreeBSD.org
          Reporter: pascal.christen@hostpoint.ch
          Assignee: ler@FreeBSD.org
             Flags: maintainer-feedback?(ler@FreeBSD.org)

* CVE-2019-3814: If imap/pop3/managesieve/submission client has
      trusted certificate with missing username field
      (ssl_cert_username_field), under some configurations Dovecot
      mistakenly trusts the username provided via authentication instead
      of failing.
    * ssl_cert_username_field setting was ignored with external SMTP AUTH,
      because none of the MTAs (Postfix, Exim) currently send the
      cert_username field. This may have allowed users with trusted
      certificate to specify any username in the authentication. This bug
      didn't affect Dovecot's Submission service.

--=20
You are receiving this mail because:
You are the assignee for the bug.=



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-235523-7788>