dovecot-2.3.16-3.el8

エラータID: AXSA:2022-4213:02

Release date: 
Tuesday, November 29, 2022 - 08:19
Subject: 
dovecot-2.3.16-3.el8
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
Moderate
Description: 

Dovecot is an IMAP server for Linux and other UNIX-like systems, written primarily with security in mind. It also contains a small POP3 server and supports e-mail in either the maildir or mbox format. The SQL drivers and authentication plug-ins are provided as subpackages.

Security Fix(es):

* dovecot: Privilege escalation when similar master and non-master passdbs are used (CVE-2022-30550)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2022-30550
An issue was discovered in the auth component in Dovecot 2.2 and 2.3 before 2.3.20. When two passdb configuration entries exist with the same driver and args settings, incorrect username_filter and mechanism settings can be applied to passdb definitions. These incorrectly applied settings can lead to an unintended security configuration and can permit privilege escalation in certain configurations. The documentation does not advise against the use of passdb definitions that have the same driver and args settings. One such configuration would be where an administrator wishes to use the same PAM configuration or passwd file for both normal and master users but use the username_filter setting to restrict which of the users is able to be a master user.

Solution: 

Update packages.

CVEs: 
CVE-2022-30550
An issue was discovered in the auth component in Dovecot 2.2 and 2.3 before 2.3.20. When two passdb configuration entries exist with the same driver and args settings, incorrect username_filter and mechanism settings can be applied to passdb definitions. These incorrectly applied settings can lead to an unintended security configuration and can permit privilege escalation in certain configurations. The documentation does not advise against the use of passdb definitions that have the same driver and args settings. One such configuration would be where an administrator wishes to use the same PAM configuration or passwd file for both normal and master users but use the username_filter setting to restrict which of the users is able to be a master user.
Additional Info: 

N/A

Download: 

SRPMS
  1. dovecot-2.3.16-3.el8.src.rpm
    MD5: 68c3ca141a0abe8d5b6d83207c55507e
    SHA-256: 950576a1d29a6c6c5b6c1abf0688e93262ef188b6f08293eea6bd4e6caf4467f
    Size: 9.21 MB

Asianux Server 8 for x86_64
  1. dovecot-2.3.16-3.el8.x86_64.rpm
    MD5: 981fe161ab1a0524b157d2059ddedf28
    SHA-256: 667f4a73b49b4306868e8ddc448a34b5a579ce5f47c3e4ec8c8c72a84a6ce520
    Size: 5.22 MB
  2. dovecot-devel-2.3.16-3.el8.x86_64.rpm
    MD5: a008743076bda9165949c569bb6d36c7
    SHA-256: 478db50e94c4806b48b596d4c3bfbb5fddb68eb329106ff6679fcd5a745fcac4
    Size: 581.37 kB
  3. dovecot-mysql-2.3.16-3.el8.x86_64.rpm
    MD5: d0dae90be1325510135ee40468b6bdf0
    SHA-256: e79bf1cdda7ed91855c1e197bf28d648bc610952e4a1746e5416027cfcb8e0b0
    Size: 100.58 kB
  4. dovecot-pgsql-2.3.16-3.el8.x86_64.rpm
    MD5: 03f9d4534aede57768279fae7b6abb9c
    SHA-256: 6f18599dfb135713a2633e7d9323a127822a6942fa299260a1c5ee5d02f0cd2f
    Size: 103.86 kB
  5. dovecot-pigeonhole-2.3.16-3.el8.x86_64.rpm
    MD5: 1ca243bb0ed1f6dc8710d15e6224f2f8
    SHA-256: 7ffd1c00c54218bf77173c7a55e34e50b426c451644f91d1441facb08a1d0920
    Size: 483.47 kB
  6. dovecot-2.3.16-3.el8.i686.rpm
    MD5: abd45640476ee9ee78b56c95a23d79a4
    SHA-256: e55728eacf86c7efc126e93f86bd89a81b3654a6afcff8196a63bfaadc469e0f
    Size: 5.62 MB
  7. dovecot-devel-2.3.16-3.el8.i686.rpm
    MD5: e25612891834ba76063f1234ee7d7891
    SHA-256: 06a20b076b0733b163b4a0d40e2dfc35d74506be966d1e15cc33069c2ddeba2f
    Size: 581.37 kB