Overview
Request 671912 accepted
- update to 2.3.4.1 (boo#1123022)
* CVE-2019-3814: If imap/pop3/managesieve/submission client has
trusted certificate with missing username field
(ssl_cert_username_field), under some configurations Dovecot
mistakenly trusts the username provided via authentication
instead of failing.
* ssl_cert_username_field setting was ignored with external
SMTP AUTH, because none of the MTAs (Postfix, Exim) currently
send the cert_username field. This may have allowed users with
trusted certificate to specify any username in the
authentication. This bug didn't affect Dovecot's Submission
service.
Request History
darix created request
- update to 2.3.4.1 (boo#1123022)
* CVE-2019-3814: If imap/pop3/managesieve/submission client has
trusted certificate with missing username field
(ssl_cert_username_field), under some configurations Dovecot
mistakenly trusts the username provided via authentication
instead of failing.
* ssl_cert_username_field setting was ignored with external
SMTP AUTH, because none of the MTAs (Postfix, Exim) currently
send the cert_username field. This may have allowed users with
trusted certificate to specify any username in the
authentication. This bug didn't affect Dovecot's Submission
service.
factory-auto added opensuse-review-team as a reviewer
Please review sources
factory-auto added repo-checker as a reviewer
Please review build success
factory-auto accepted review
Check script succeeded
licensedigger accepted review
ok
jengelh accepted review
staging-bot added as a reviewer
Being evaluated by staging project "openSUSE:Factory:Staging:adi:83"
staging-bot accepted review
Picked openSUSE:Factory:Staging:adi:83
repo-checker accepted review
cycle and install check passed
staging-bot accepted review
ready to accept
staging-bot approved review
ready to accept
coolo accepted request
Accept to openSUSE:Factory