Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 30 Dec 2014 20:21:50 -0700
From: Kurt Seifried <kseifried@...hat.com>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>,
        Assign a CVE Identifier <cve-assign@...re.org>
Subject: CVE for net-mail/dbmail-3.2.2: CRAM-MD5 authentication bypass

https://bugs.gentoo.org/show_bug.cgi?id=534020

link to git repo:
http://git.dbmail.eu/paul/dbmail/log/?h=dbmail_3_2&id=v3.2.2

The bug seems to be around for the 3.2 series only (so current stable is
fine - but old).

http://blog.gmane.org/gmane.mail.imap.dbmail/day=20141219 <- mailinglist
post of author about the vulnerability

a copy of the relevant mail here in case:
===========================================
 Paul J Stevens | 19 Dec 22:55 2014
Security alert: disable CRAM-MD5 if you don't use it


Hi all,

It was brought to my attention that dbmail currently authenticates any
user with any password if the client issues an CRAM-MD5 authentication
exchange, while the user - which does need to exist - has it's password
stored in an encrypted format.

This affects all versions supporting cram-md5, so 3.0.0 and later.

Installations using authldap are *not* affected.

You should disable CRAM-MD5 in dbmail.conf if you store password encrypted.

A patch was already pushed to git both on dbmail.eu and github.

I'll release a patched version asap.
===========================================

Couldn'T get a hold of someone from security on IRC earlier so reporting
a Bug.

In case of an unstable version being the only affected one what would be
the best course of action? - I intend to package.mask 3.2.0 later when I
am on my dev box again (I never added 3.2.1) and also I'D like to
stable-req 3.1.17, since I just added 3.2.2 -- or would this warrant
going for a faster STABLE-REQ of current 3.2.2 with the security fix?

Please let me know what would be the preferred course of action from
your point of view.

-- 
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993


Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.