Date: Tue, 30 Dec 2014 20:21:50 -0700 From: Kurt Seifried <kseifried@...hat.com> To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>, Assign a CVE Identifier <cve-assign@...re.org> Subject: CVE for net-mail/dbmail-3.2.2: CRAM-MD5 authentication bypass https://bugs.gentoo.org/show_bug.cgi?id=534020 link to git repo: http://git.dbmail.eu/paul/dbmail/log/?h=dbmail_3_2&id=v3.2.2 The bug seems to be around for the 3.2 series only (so current stable is fine - but old). http://blog.gmane.org/gmane.mail.imap.dbmail/day=20141219 <- mailinglist post of author about the vulnerability a copy of the relevant mail here in case: =========================================== Paul J Stevens | 19 Dec 22:55 2014 Security alert: disable CRAM-MD5 if you don't use it Hi all, It was brought to my attention that dbmail currently authenticates any user with any password if the client issues an CRAM-MD5 authentication exchange, while the user - which does need to exist - has it's password stored in an encrypted format. This affects all versions supporting cram-md5, so 3.0.0 and later. Installations using authldap are *not* affected. You should disable CRAM-MD5 in dbmail.conf if you store password encrypted. A patch was already pushed to git both on dbmail.eu and github. I'll release a patched version asap. =========================================== Couldn'T get a hold of someone from security on IRC earlier so reporting a Bug. In case of an unstable version being the only affected one what would be the best course of action? - I intend to package.mask 3.2.0 later when I am on my dev box again (I never added 3.2.1) and also I'D like to stable-req 3.1.17, since I just added 3.2.2 -- or would this warrant going for a faster STABLE-REQ of current 3.2.2 with the security fix? Please let me know what would be the preferred course of action from your point of view. -- Kurt Seifried -- Red Hat -- Product Security -- Cloud PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.