Bug 235523 - mail/dovecot: Update to 2.3.4.1 (CVE-2019-3814)
Summary: mail/dovecot: Update to 2.3.4.1 (CVE-2019-3814)
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Many People
Assignee: Larry Rosenman
URL:
Keywords: security
Depends on:
Blocks:
 
Reported: 2019-02-05 13:49 UTC by Pascal Christen
Modified: 2019-02-05 15:07 UTC (History)
0 users

See Also:
ler: maintainer-feedback+


Attachments
Patch for Dovecot (705 bytes, patch)
2019-02-05 13:50 UTC, Pascal Christen
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Pascal Christen 2019-02-05 13:49:13 UTC
* CVE-2019-3814: If imap/pop3/managesieve/submission client has
      trusted certificate with missing username field
      (ssl_cert_username_field), under some configurations Dovecot
      mistakenly trusts the username provided via authentication instead
      of failing.
    * ssl_cert_username_field setting was ignored with external SMTP AUTH,
      because none of the MTAs (Postfix, Exim) currently send the
      cert_username field. This may have allowed users with trusted
      certificate to specify any username in the authentication. This bug
      didn't affect Dovecot's Submission service.
Comment 1 Pascal Christen 2019-02-05 13:50:59 UTC
Created attachment 201762 [details]
Patch for Dovecot
Comment 2 commit-hook freebsd_committer 2019-02-05 14:50:54 UTC
A commit references this bug:

Author: ler
Date: Tue Feb  5 14:50:39 UTC 2019
New revision: 492245
URL: https://svnweb.freebsd.org/changeset/ports/492245

Log:
  mail/dovecot: upgrade to 2.3.4.1

      * CVE-2019-3814: If imap/pop3/managesieve/submission client has
        trusted certificate with missing username field
        (ssl_cert_username_field), under some configurations Dovecot
        mistakenly trusts the username provided via authentication instead
        of failing.
      * ssl_cert_username_field setting was ignored with external SMTP AUTH,
        because none of the MTAs (Postfix, Exim) currently send the
        cert_username field. This may have allowed users with trusted
        certificate to specify any username in the authentication. This bug
        didn't affect Dovecot's Submission service.

  PR:		235523
  Submitted by:	pascal.christen@hostpoint.ch
  MFH:		2019Q1
  Security:	1340fcc1-2953-11e9-bc44-a4badb296695
  Security:	CVE-2019-3814

Changes:
  head/mail/dovecot/Makefile
  head/mail/dovecot/distinfo
Comment 3 Larry Rosenman freebsd_committer 2019-02-05 14:53:05 UTC
Committed, thanks!
Comment 4 commit-hook freebsd_committer 2019-02-05 15:03:08 UTC
A commit references this bug:

Author: ler
Date: Tue Feb  5 15:02:37 UTC 2019
New revision: 492248
URL: https://svnweb.freebsd.org/changeset/ports/492248

Log:
  MFH: r489098 r489515 r492245

  mail/dovecot: Pick up a mailinglist patch for solr/tika separation.

  solr and tika currently use the same http client connection.  Upstream
  made the attached patches in response to my (ler@) bug report.

  Obtained from:	upstream mailing list.

  mail/dovecot: Pick up mailing list patch for imap-preauth vs. stats-writer.

  see the dovecot mailing list thread on imap-preauth and stats-writer between
  Stephan Bosch and a FreeBSD user

  Obtained from:	upstream mailing list.

  mail/dovecot: upgrade to 2.3.4.1

      * CVE-2019-3814: If imap/pop3/managesieve/submission client has
        trusted certificate with missing username field
        (ssl_cert_username_field), under some configurations Dovecot
        mistakenly trusts the username provided via authentication instead
        of failing.
      * ssl_cert_username_field setting was ignored with external SMTP AUTH,
        because none of the MTAs (Postfix, Exim) currently send the
        cert_username field. This may have allowed users with trusted
        certificate to specify any username in the authentication. This bug
        didn't affect Dovecot's Submission service.

  PR:		235523
  Submitted by:	pascal.christen@hostpoint.ch
  Security:	1340fcc1-2953-11e9-bc44-a4badb296695
  Security:	CVE-2019-3814

  Approved by:	ports-secteam (joneum)

Changes:
_U  branches/2019Q1/
  branches/2019Q1/mail/dovecot/Makefile
  branches/2019Q1/mail/dovecot/distinfo
  branches/2019Q1/mail/dovecot/files/patch-src_lib-master_master-service.c
  branches/2019Q1/mail/dovecot/files/patch-src_plugins_fts-solr_solr-connection.c
  branches/2019Q1/mail/dovecot/files/patch-src_plugins_fts_fts-parser-tika.c