[Buildroot] [PATCH] package/dovecot: security bump to version 2.3.4.1
Peter Korsgaard
peter at korsgaard.com
Mon Feb 18 16:37:50 UTC 2019
>>>>> "Peter" == Peter Korsgaard <peter at korsgaard.com> writes:
> Fixes the following security issues:
> * CVE-2019-3814: If imap/pop3/managesieve/submission client has
> trusted certificate with missing username field
> (ssl_cert_username_field), under some configurations Dovecot
> mistakenly trusts the username provided via authentication instead
> of failing.
> * ssl_cert_username_field setting was ignored with external SMTP AUTH,
> because none of the MTAs (Postfix, Exim) currently send the
> cert_username field. This may have allowed users with trusted
> certificate to specify any username in the authentication. This bug
> didn't affect Dovecot's Submission service.
> For more details, see the announcement:
> https://www.dovecot.org/list/dovecot-news/2019-February/000394.html
> Signed-off-by: Peter Korsgaard <peter at korsgaard.com>
Committed to 2018.11.x, thanks.
For 2018.02.x I will instead bump to 2.2.36.1, which contains the same
fixes.
--
Bye, Peter Korsgaard
More information about the buildroot
mailing list