oss-sec mailing list archives
CVE for net-mail/dbmail-3.2.2: CRAM-MD5 authentication bypass
From: Kurt Seifried <kseifried () redhat com>
Date: Tue, 30 Dec 2014 20:21:50 -0700
https://bugs.gentoo.org/show_bug.cgi?id=534020 link to git repo: http://git.dbmail.eu/paul/dbmail/log/?h=dbmail_3_2&id=v3.2.2 The bug seems to be around for the 3.2 series only (so current stable is fine - but old). http://blog.gmane.org/gmane.mail.imap.dbmail/day=20141219 <- mailinglist post of author about the vulnerability a copy of the relevant mail here in case: =========================================== Paul J Stevens | 19 Dec 22:55 2014 Security alert: disable CRAM-MD5 if you don't use it Hi all, It was brought to my attention that dbmail currently authenticates any user with any password if the client issues an CRAM-MD5 authentication exchange, while the user - which does need to exist - has it's password stored in an encrypted format. This affects all versions supporting cram-md5, so 3.0.0 and later. Installations using authldap are *not* affected. You should disable CRAM-MD5 in dbmail.conf if you store password encrypted. A patch was already pushed to git both on dbmail.eu and github. I'll release a patched version asap. =========================================== Couldn'T get a hold of someone from security on IRC earlier so reporting a Bug. In case of an unstable version being the only affected one what would be the best course of action? - I intend to package.mask 3.2.0 later when I am on my dev box again (I never added 3.2.1) and also I'D like to stable-req 3.1.17, since I just added 3.2.2 -- or would this warrant going for a faster STABLE-REQ of current 3.2.2 with the security fix? Please let me know what would be the preferred course of action from your point of view. -- Kurt Seifried -- Red Hat -- Product Security -- Cloud PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- CVE for net-mail/dbmail-3.2.2: CRAM-MD5 authentication bypass Kurt Seifried (Dec 30)