ASA-201902-1 generated external raw

[ASA-201902-1] dovecot: authentication bypass
Arch Linux Security Advisory ASA-201902-1 ========================================= Severity: High Date : 2019-02-06 CVE-ID : CVE-2019-3814 Package : dovecot Type : authentication bypass Remote : Yes Link : https://security.archlinux.org/AVG-872 Summary ======= The package <a href="/package/dovecot">dovecot</a> before version 2.3.4.1-1 is vulnerable to authentication bypass. Resolution ========== Upgrade to 2.3.4.1-1. # pacman -Syu "dovecot>=2.3.4.1-1" The problem has been fixed upstream in version 2.3.4.1. Workaround ========== None. Description =========== A vulnerability has been found in <a href="/package/dovecot">Dovecot</a> versions prior to 2.3.4.1, allowing a remote client in possession of a trusted SSL certificate to log in as any user, in some configurations. This affects only installations using auth_ssl_require_client_cert = yes and auth_ssl_username_from_cert = yes, and the the attacker might have access to a trusted certificate without the ssl_cert_username_field (default to commonName) set in it. Impact ====== A remote client in possession of a trusted SSL certificate might be able to log in as any user. References ========== https://www.dovecot.org/pipermail/dovecot/2019-February/114575.html https://github.com/dovecot/core/commit/61471a5c42528090cffcca9bceded316746637b7 https://security.archlinux.org/CVE-2019-3814