'[oss-security] CVE for net-mail/dbmail-3.2.2: CRAM-MD5 authentication bypass'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE for net-mail/dbmail-3.2.2: CRAM-MD5 authentication bypass
From:       Kurt Seifried <kseifried () redhat ! com>
Date:       2014-12-31 3:21:50
Message-ID: 54A36BCE.4000602 () redhat ! com
[Download RAW message or body]


https://bugs.gentoo.org/show_bug.cgi?id=534020

link to git repo:
http://git.dbmail.eu/paul/dbmail/log/?h=dbmail_3_2&id=v3.2.2

The bug seems to be around for the 3.2 series only (so current stable is
fine - but old).

http://blog.gmane.org/gmane.mail.imap.dbmail/day=20141219 <- mailinglist
post of author about the vulnerability

a copy of the relevant mail here in case:
===========================================
 Paul J Stevens | 19 Dec 22:55 2014
Security alert: disable CRAM-MD5 if you don't use it


Hi all,

It was brought to my attention that dbmail currently authenticates any
user with any password if the client issues an CRAM-MD5 authentication
exchange, while the user - which does need to exist - has it's password
stored in an encrypted format.

This affects all versions supporting cram-md5, so 3.0.0 and later.

Installations using authldap are *not* affected.

You should disable CRAM-MD5 in dbmail.conf if you store password encrypted.

A patch was already pushed to git both on dbmail.eu and github.

I'll release a patched version asap.
===========================================

Couldn'T get a hold of someone from security on IRC earlier so reporting
a Bug.

In case of an unstable version being the only affected one what would be
the best course of action? - I intend to package.mask 3.2.0 later when I
am on my dev box again (I never added 3.2.1) and also I'D like to
stable-req 3.1.17, since I just added 3.2.2 -- or would this warrant
going for a faster STABLE-REQ of current 3.2.2 with the security fix?

Please let me know what would be the preferred course of action from
your point of view.

-- 
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993


["signature.asc" (application/pgp-signature)]

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic