[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] libksieve (used by kmail/kontact) sent password as username
From:       Salvatore Bonaccorso <carnil () debian ! org>
Date:       2024-04-30 7:41:31
Message-ID: ZjCgq5y_tKM0oXW7 () eldamar ! lan
[Download RAW message or body]

On Thu, Apr 25, 2024 at 06:10:54PM +0200, Jonas Schäfer wrote:
> Hello list,
> 
> Managesieve is a protocol to configure the email filtering system Sieve via 
> TCP/IP. It is typically authenticated just like IMAP is. The managesieve 
> client implementation in KDE (libksieve) had a bug which used the password as 
> username.
> 
> That exposed the password in plaintext server logs, as usernames are commonly 
> logged on failed login attempts.
> 
> This bug has existed for several years and made it into multiple Debian 
> releases. It has only recently been fixed upstream [1] and even more recently 
> been fixed in Debian [2] (stable package updates still pending). As this bug 
> has been documented in the internet at various places [3] [4] but I haven't 
> seen any mention of it here yet, I thought sharing it here made sense.
> 
> As far as I know, no CVE has been allocated for this.

FTR, https://www.cve.org/CVERecord?id=CVE-2023-52723 was assigned for
this issue.

Regards,
Salvatore
[prev in list] [next in list] [prev in thread] [next in thread]