-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4385-1 security@xxxxxxxxxx https://www.debian.org/security/ Salvatore Bonaccorso February 05, 2019 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : dovecot CVE ID : CVE-2019-3814 halfdog discovered an authentication bypass vulnerability in the Dovecot email server. Under some configurations Dovecot mistakenly trusts the username provided via authentication instead of failing. If there is no additional password verification, this allows the attacker to login as anyone else in the system. Only installations using: auth_ssl_require_client_cert = yes auth_ssl_username_from_cert = yes are affected by this flaw. For the stable distribution (stretch), this problem has been fixed in version 1:2.2.27-3+deb9u3. We recommend that you upgrade your dovecot packages. For the detailed security status of dovecot please refer to its security tracker page at: https://security-tracker.debian.org/tracker/dovecot Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@xxxxxxxxxxxxxxxx -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlxZutdfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0RyVQ/7BzaC81yAtjVriknRUERhdnQhiB93JiuSaW6d+m073Yvgro7G6b4+C3in MHlVbIsKufMNu/Nyt5cnO9PiLWWbt0XbXI17ZOAkQhvButPikCWRx1Rqz5IyZyCv r/h1atFgIwzhBd7RsgEGqSRwxB+uPAMXauF38Sw26mDMQy5FoCr8Neij4g/HmPf2 IiUg39sgs2CLr29BMkpmu1suKPHwqtayDW4Rwr8fLXORk6wZ/rYth7I6LkUCbcMb Q0nQSjvSrcz04d7FSOJoWKDqdsliLSNqgci9s9IEjW7LEpXy6s8Iy8WNUH2PNQfH NDTLE1WyQsGdUTQmE6BiIt9oNzP7A2Vhz60ljOX8FMfA2IZ7sL/SEaIwKc1U+p/V Nx9oMjSL57PGaXpucJwibSJ3zlMVLhwqfwJJdmZnPBBXcAoSB8dm0GVxpksxh1ZI jSjDJFiLrUpKNFywXXrpR4QcaIk8Uiw3lsth4btzkV4lpULPTkzOMTy4Y80od9yp xqYHRNrHb8MS++HNd4nMK2Gg7oVC9/GwGACAI3VKfTDgEvb6ft/q+90s+qjWdI8l /q2174k3yUhgxfDqVJFr+wDSKtWHc41Cc9zokJqIVN9f+qH/VqIfWx5k7SOwchX0 ijgKLYqY08Ti/nMpBGKvJGx/F7S5KMGGi23pK8zhEzckLN3kYoc= =9qPn -----END PGP SIGNATURE-----