* CVE-2019-3814: If imap/pop3/managesieve/submission client has trusted certificate with missing username field (ssl_cert_username_field), under some configurations Dovecot mistakenly trusts the username provided via authentication instead of failing. * ssl_cert_username_field setting was ignored with external SMTP AUTH, because none of the MTAs (Postfix, Exim) currently send the cert_username field. This may have allowed users with trusted certificate to specify any username in the authentication. This bug didn't affect Dovecot's Submission service.
Created attachment 201762 [details] Patch for Dovecot
A commit references this bug: Author: ler Date: Tue Feb 5 14:50:39 UTC 2019 New revision: 492245 URL: https://svnweb.freebsd.org/changeset/ports/492245 Log: mail/dovecot: upgrade to 2.3.4.1 * CVE-2019-3814: If imap/pop3/managesieve/submission client has trusted certificate with missing username field (ssl_cert_username_field), under some configurations Dovecot mistakenly trusts the username provided via authentication instead of failing. * ssl_cert_username_field setting was ignored with external SMTP AUTH, because none of the MTAs (Postfix, Exim) currently send the cert_username field. This may have allowed users with trusted certificate to specify any username in the authentication. This bug didn't affect Dovecot's Submission service. PR: 235523 Submitted by: pascal.christen@hostpoint.ch MFH: 2019Q1 Security: 1340fcc1-2953-11e9-bc44-a4badb296695 Security: CVE-2019-3814 Changes: head/mail/dovecot/Makefile head/mail/dovecot/distinfo
Committed, thanks!
A commit references this bug: Author: ler Date: Tue Feb 5 15:02:37 UTC 2019 New revision: 492248 URL: https://svnweb.freebsd.org/changeset/ports/492248 Log: MFH: r489098 r489515 r492245 mail/dovecot: Pick up a mailinglist patch for solr/tika separation. solr and tika currently use the same http client connection. Upstream made the attached patches in response to my (ler@) bug report. Obtained from: upstream mailing list. mail/dovecot: Pick up mailing list patch for imap-preauth vs. stats-writer. see the dovecot mailing list thread on imap-preauth and stats-writer between Stephan Bosch and a FreeBSD user Obtained from: upstream mailing list. mail/dovecot: upgrade to 2.3.4.1 * CVE-2019-3814: If imap/pop3/managesieve/submission client has trusted certificate with missing username field (ssl_cert_username_field), under some configurations Dovecot mistakenly trusts the username provided via authentication instead of failing. * ssl_cert_username_field setting was ignored with external SMTP AUTH, because none of the MTAs (Postfix, Exim) currently send the cert_username field. This may have allowed users with trusted certificate to specify any username in the authentication. This bug didn't affect Dovecot's Submission service. PR: 235523 Submitted by: pascal.christen@hostpoint.ch Security: 1340fcc1-2953-11e9-bc44-a4badb296695 Security: CVE-2019-3814 Approved by: ports-secteam (joneum) Changes: _U branches/2019Q1/ branches/2019Q1/mail/dovecot/Makefile branches/2019Q1/mail/dovecot/distinfo branches/2019Q1/mail/dovecot/files/patch-src_lib-master_master-service.c branches/2019Q1/mail/dovecot/files/patch-src_plugins_fts-solr_solr-connection.c branches/2019Q1/mail/dovecot/files/patch-src_plugins_fts_fts-parser-tika.c