Date: Tue, 05 Feb 2019 13:49:13 +0000 From: bugzilla-noreply@freebsd.org To: ports-bugs@FreeBSD.org Subject: [Bug 235523] mail/dovecot: Update to 2.3.4.1 (CVE-2019-3814) Message-ID: <bug-235523-7788@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D235523 Bug ID: 235523 Summary: mail/dovecot: Update to 2.3.4.1 (CVE-2019-3814) Product: Ports & Packages Version: Latest Hardware: Any OS: Any Status: New Keywords: security Severity: Affects Many People Priority: --- Component: Individual Port(s) Assignee: ler@FreeBSD.org Reporter: pascal.christen@hostpoint.ch Assignee: ler@FreeBSD.org Flags: maintainer-feedback?(ler@FreeBSD.org) * CVE-2019-3814: If imap/pop3/managesieve/submission client has trusted certificate with missing username field (ssl_cert_username_field), under some configurations Dovecot mistakenly trusts the username provided via authentication instead of failing. * ssl_cert_username_field setting was ignored with external SMTP AUTH, because none of the MTAs (Postfix, Exim) currently send the cert_username field. This may have allowed users with trusted certificate to specify any username in the authentication. This bug didn't affect Dovecot's Submission service. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-235523-7788>