dovecot-2.3.16-7.el9

エラータID: AXSA:2023-4711:01

Release date: 
Thursday, January 12, 2023 - 09:42
Subject: 
dovecot-2.3.16-7.el9
Affected Channels: 
MIRACLE LINUX 9 for x86_64
Severity: 
Moderate
Description: 

Dovecot is an IMAP server for Linux and other UNIX-like systems, written primarily with security in mind. It also contains a small POP3 server, and supports e-mail in either the maildir or mbox format. The SQL drivers and authentication plug-ins are provided as subpackages.

Security Fix(es):

* dovecot: Privilege escalation when similar master and non-master passdbs are used (CVE-2022-30550)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the MIRACLE LINUX 9.1 Release Notes linked from the References section.

CVE-2022-30550
An issue was discovered in the auth component in Dovecot 2.2 and 2.3 before 2.3.20. When two passdb configuration entries exist with the same driver and args settings, incorrect username_filter and mechanism settings can be applied to passdb definitions. These incorrectly applied settings can lead to an unintended security configuration and can permit privilege escalation in certain configurations. The documentation does not advise against the use of passdb definitions that have the same driver and args settings. One such configuration would be where an administrator wishes to use the same PAM configuration or passwd file for both normal and master users but use the username_filter setting to restrict which of the users is able to be a master user.

Solution: 

Update packages.

CVEs: 
CVE-2022-30550
An issue was discovered in the auth component in Dovecot 2.2 and 2.3 before 2.3.20. When two passdb configuration entries exist with the same driver and args settings, incorrect username_filter and mechanism settings can be applied to passdb definitions. These incorrectly applied settings can lead to an unintended security configuration and can permit privilege escalation in certain configurations. The documentation does not advise against the use of passdb definitions that have the same driver and args settings. One such configuration would be where an administrator wishes to use the same PAM configuration or passwd file for both normal and master users but use the username_filter setting to restrict which of the users is able to be a master user.
Additional Info: 

N/A

Download: 

SRPMS
  1. dovecot-2.3.16-7.el9.src.rpm
    MD5: 7dbf14ead5c91302332b2b9c7bf5935a
    SHA-256: 68d60d845238e8c9bc72004873e4a324954671cd8ce8fa3d8b9d98dfbc29d21a
    Size: 9.13 MB

Asianux Server 9 for x86_64
  1. dovecot-2.3.16-7.el9.x86_64.rpm
    MD5: 16cd00a1042a9a31af1c96e3171cce7d
    SHA-256: c666e882c5066816f2073a9f5dc96b9f75c4ed832854ffc21f2e6952132886cf
    Size: 4.71 MB
  2. dovecot-devel-2.3.16-7.el9.x86_64.rpm
    MD5: 27e74acdd8cffc9dff0468735d31142d
    SHA-256: 085e756c5820af1ab540b8358a38cfd071d47989077173094197d0768b115b29
    Size: 456.28 kB
  3. dovecot-mysql-2.3.16-7.el9.x86_64.rpm
    MD5: 8256ea9e332c5b1f0c9ab87b86996675
    SHA-256: e16b756aad10083a293d564388b3075883159f018b9ab3a32e5374adbd5130d1
    Size: 22.25 kB
  4. dovecot-pgsql-2.3.16-7.el9.x86_64.rpm
    MD5: 22eb8645f9626628b56c6e073aa8c07c
    SHA-256: 725395cac6132b188a8264c9172c533117810d1128e74a556c7de7ce0f01a69e
    Size: 26.24 kB
  5. dovecot-pigeonhole-2.3.16-7.el9.x86_64.rpm
    MD5: 8ececa8af74f2ccce7eca966002269c7
    SHA-256: 2678b192b0a0fa81e97c11edf13f241aeba33c92ac4b0ef3d5be2492515e5a14
    Size: 375.54 kB
  6. dovecot-2.3.16-7.el9.i686.rpm
    MD5: 205142cd5cbebea2a5b72dd59cfcf587
    SHA-256: 190ee7b0b63b23662b8485de915942fc8626024e56361061cc159ad7cdb9ebf4
    Size: 5.11 MB
  7. dovecot-devel-2.3.16-7.el9.i686.rpm
    MD5: 61f1d73df2fefa6654b32dd9e5b47932
    SHA-256: a4ae7f902a7e6ee9bc8686b38ae8bef1ef3ef2e59847ba0a4b8114a30d4fd349
    Size: 456.13 kB