{"id":50708,"date":"2023-10-30T17:02:22","date_gmt":"2023-10-30T14:02:22","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/175402\/glsa-202310-19.txt"},"modified":"2023-10-31T08:46:38","modified_gmt":"2023-10-31T05:16:38","slug":"gentoo-linux-security-advisory-202310-19","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/gentoo-linux-security-advisory-202310-19\/","title":{"rendered":"Gentoo Linux Security Advisory 202310-19"},"content":{"rendered":"

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
\nGentoo Linux Security Advisory GLSA 202310-19
\n– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
\nhttps:\/\/security.gentoo.org\/
\n– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –<\/p>\n

Severity: Normal
\nTitle: Dovecot: Privilege Escalation
\nDate: October 30, 2023
\nBugs: #856733
\nID: 202310-19<\/p>\n

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –<\/p>\n

Synopsis
\n========<\/p>\n

A vulnerability has been discovered in Dovecot that can lead to a
\nprivilege escalation when master and non-master passdbs are used.<\/p>\n

Background
\n==========<\/p>\n

Dovecot is an open source IMAP and POP3 email server.<\/p>\n

Affected packages
\n=================<\/p>\n

Package Vulnerable Unaffected
\n—————- ————- ————–
\nnet-mail\/dovecot < 2.3.19.1-r1 >= 2.3.19.1-r1<\/p>\n

Description
\n===========<\/p>\n

A vulnerability has been discovered in Dovecot. Please review the CVE
\nidentifier referenced below for details.<\/p>\n

Impact
\n======<\/p>\n

When two passdb configuration entries exist in Dovecot configuration,
\nwhich have the same driver and args settings, the incorrect
\nusername_filter and mechanism settings can be applied to passdb
\ndefinitions. These incorrectly applied settings can lead to an
\nunintended security configuration and can permit privilege escalation
\nwith certain configurations involving master user authentication.<\/p>\n

Dovecot documentation does not advise against the use of passdb
\ndefinitions which have the same driver and args settings. One such
\nconfiguration would be where an administrator wishes to use the same pam
\nconfiguration or passwd file for both normal and master users but use
\nthe username_filter setting to restrict which of the users is able to be
\na master user.<\/p>\n

Workaround
\n==========<\/p>\n

There is no known workaround at this time.<\/p>\n

Resolution
\n==========<\/p>\n

All Dovecot users should upgrade to the latest version:<\/p>\n

# emerge –sync
\n# emerge –ask –oneshot –verbose “>=net-mail\/dovecot-2.3.19.1-r1”<\/p>\n

References
\n==========<\/p>\n[ 1 ] CVE-2022-30550
\nhttps:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2022-30550<\/p>\n

Availability
\n============<\/p>\n

This GLSA and any updates to it are available for viewing at
\nthe Gentoo Security Website:<\/p>\n

https:\/\/security.gentoo.org\/glsa\/202310-19<\/p>\n

Concerns?
\n=========<\/p>\n

Security is a primary focus of Gentoo Linux and ensuring the
\nconfidentiality and security of our users’ machines is of utmost
\nimportance to us. Any security concerns should be addressed to
\nsecurity@gentoo.org or alternatively, you may file a bug at
\nhttps:\/\/bugs.gentoo.org.<\/p>\n

License
\n=======<\/p>\n

Copyright 2023 Gentoo Foundation, Inc; referenced text
\nbelongs to its owner(s).<\/p>\n

The contents of this document are licensed under the
\nCreative Commons – Attribution \/ Share Alike license.<\/p>\n

https:\/\/creativecommons.org\/licenses\/by-sa\/2.5<\/p>\n","protected":false},"excerpt":{"rendered":"

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – Gentoo Linux Security Advisory GLSA 202310-19 – – – – – – – – – – – – – …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-50708","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/50708","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=50708"}],"version-history":[{"count":1,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/50708\/revisions"}],"predecessor-version":[{"id":50756,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/50708\/revisions\/50756"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=50708"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=50708"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=50708"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}