Bug 235523

Summary: mail/dovecot: Update to 2.3.4.1 (CVE-2019-3814)
Product: Ports & Packages Reporter: Pascal Christen <pascal.christen>
Component: Individual Port(s)Assignee: Larry Rosenman <ler>
Status: Closed FIXED    
Severity: Affects Many People Keywords: security
Priority: --- Flags: ler: maintainer-feedback+
Version: Latest   
Hardware: Any   
OS: Any   
Attachments:
Description Flags
Patch for Dovecot none

Description Pascal Christen 2019-02-05 13:49:13 UTC
* CVE-2019-3814: If imap/pop3/managesieve/submission client has
      trusted certificate with missing username field
      (ssl_cert_username_field), under some configurations Dovecot
      mistakenly trusts the username provided via authentication instead
      of failing.
    * ssl_cert_username_field setting was ignored with external SMTP AUTH,
      because none of the MTAs (Postfix, Exim) currently send the
      cert_username field. This may have allowed users with trusted
      certificate to specify any username in the authentication. This bug
      didn't affect Dovecot's Submission service.
Comment 1 Pascal Christen 2019-02-05 13:50:59 UTC
Created attachment 201762 [details]
Patch for Dovecot
Comment 2 commit-hook freebsd_committer 2019-02-05 14:50:54 UTC
A commit references this bug:

Author: ler
Date: Tue Feb  5 14:50:39 UTC 2019
New revision: 492245
URL: https://svnweb.freebsd.org/changeset/ports/492245

Log:
  mail/dovecot: upgrade to 2.3.4.1

      * CVE-2019-3814: If imap/pop3/managesieve/submission client has
        trusted certificate with missing username field
        (ssl_cert_username_field), under some configurations Dovecot
        mistakenly trusts the username provided via authentication instead
        of failing.
      * ssl_cert_username_field setting was ignored with external SMTP AUTH,
        because none of the MTAs (Postfix, Exim) currently send the
        cert_username field. This may have allowed users with trusted
        certificate to specify any username in the authentication. This bug
        didn't affect Dovecot's Submission service.

  PR:		235523
  Submitted by:	pascal.christen@hostpoint.ch
  MFH:		2019Q1
  Security:	1340fcc1-2953-11e9-bc44-a4badb296695
  Security:	CVE-2019-3814

Changes:
  head/mail/dovecot/Makefile
  head/mail/dovecot/distinfo
Comment 3 Larry Rosenman freebsd_committer 2019-02-05 14:53:05 UTC
Committed, thanks!
Comment 4 commit-hook freebsd_committer 2019-02-05 15:03:08 UTC
A commit references this bug:

Author: ler
Date: Tue Feb  5 15:02:37 UTC 2019
New revision: 492248
URL: https://svnweb.freebsd.org/changeset/ports/492248

Log:
  MFH: r489098 r489515 r492245

  mail/dovecot: Pick up a mailinglist patch for solr/tika separation.

  solr and tika currently use the same http client connection.  Upstream
  made the attached patches in response to my (ler@) bug report.

  Obtained from:	upstream mailing list.

  mail/dovecot: Pick up mailing list patch for imap-preauth vs. stats-writer.

  see the dovecot mailing list thread on imap-preauth and stats-writer between
  Stephan Bosch and a FreeBSD user

  Obtained from:	upstream mailing list.

  mail/dovecot: upgrade to 2.3.4.1

      * CVE-2019-3814: If imap/pop3/managesieve/submission client has
        trusted certificate with missing username field
        (ssl_cert_username_field), under some configurations Dovecot
        mistakenly trusts the username provided via authentication instead
        of failing.
      * ssl_cert_username_field setting was ignored with external SMTP AUTH,
        because none of the MTAs (Postfix, Exim) currently send the
        cert_username field. This may have allowed users with trusted
        certificate to specify any username in the authentication. This bug
        didn't affect Dovecot's Submission service.

  PR:		235523
  Submitted by:	pascal.christen@hostpoint.ch
  Security:	1340fcc1-2953-11e9-bc44-a4badb296695
  Security:	CVE-2019-3814

  Approved by:	ports-secteam (joneum)

Changes:
_U  branches/2019Q1/
  branches/2019Q1/mail/dovecot/Makefile
  branches/2019Q1/mail/dovecot/distinfo
  branches/2019Q1/mail/dovecot/files/patch-src_lib-master_master-service.c
  branches/2019Q1/mail/dovecot/files/patch-src_plugins_fts-solr_solr-connection.c
  branches/2019Q1/mail/dovecot/files/patch-src_plugins_fts_fts-parser-tika.c