[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] libksieve (used by kmail/kontact) sent password as username
From: Salvatore Bonaccorso <carnil () debian ! org>
Date: 2024-04-30 7:41:31
Message-ID: ZjCgq5y_tKM0oXW7 () eldamar ! lan
[Download RAW message or body]
On Thu, Apr 25, 2024 at 06:10:54PM +0200, Jonas Schäfer wrote:
> Hello list,
>
> Managesieve is a protocol to configure the email filtering system Sieve via
> TCP/IP. It is typically authenticated just like IMAP is. The managesieve
> client implementation in KDE (libksieve) had a bug which used the password as
> username.
>
> That exposed the password in plaintext server logs, as usernames are commonly
> logged on failed login attempts.
>
> This bug has existed for several years and made it into multiple Debian
> releases. It has only recently been fixed upstream [1] and even more recently
> been fixed in Debian [2] (stable package updates still pending). As this bug
> has been documented in the internet at various places [3] [4] but I haven't
> seen any mention of it here yet, I thought sharing it here made sense.
>
> As far as I know, no CVE has been allocated for this.
FTR, https://www.cve.org/CVERecord?id=CVE-2023-52723 was assigned for
this issue.
Regards,
Salvatore
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic