Headline
RHSA-2022:8208: Red Hat Security Advisory: dovecot security and enhancement update
An update for dovecot is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
Related CVEs:
- CVE-2022-30550: dovecot: Privilege escalation when similar master and non-master passdbs are used
Synopsis
Moderate: dovecot security and enhancement update
Type/Severity
Security Advisory: Moderate
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
View affected systems
Topic
An update for dovecot is now available for Red Hat Enterprise Linux 9.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
Dovecot is an IMAP server for Linux and other UNIX-like systems, written primarily with security in mind. It also contains a small POP3 server, and supports e-mail in either the maildir or mbox format. The SQL drivers and authentication plug-ins are provided as subpackages.
Security Fix(es):
- dovecot: Privilege escalation when similar master and non-master passdbs are used (CVE-2022-30550)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat Enterprise Linux 9.1 Release Notes linked from the References section.
Affected Products
- Red Hat Enterprise Linux for x86_64 9 x86_64
- Red Hat Enterprise Linux for IBM z Systems 9 s390x
- Red Hat Enterprise Linux for Power, little endian 9 ppc64le
- Red Hat Enterprise Linux for ARM 64 9 aarch64
- Red Hat CodeReady Linux Builder for x86_64 9 x86_64
- Red Hat CodeReady Linux Builder for Power, little endian 9 ppc64le
- Red Hat CodeReady Linux Builder for ARM 64 9 aarch64
- Red Hat CodeReady Linux Builder for IBM z Systems 9 s390x
Fixes
- BZ - 2053368 - installing dovecot-pgsql via kickstart fails on Error in POSTIN scriptlet
- BZ - 2095399 - [RFE] dovecot use systemd-sysusers
- BZ - 2105070 - CVE-2022-30550 dovecot: Privilege escalation when similar master and non-master passdbs are used
References
- https://access.redhat.com/security/updates/classification/#moderate
- https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.1_release_notes/index
Red Hat Enterprise Linux for x86_64 9
SRPM
dovecot-2.3.16-7.el9.src.rpm
SHA-256: 56eba7f106f10aa45c99fea52bace9a2a5a27a940e59ad8f6cd6003c41ef80a7
x86_64
dovecot-2.3.16-7.el9.x86_64.rpm
SHA-256: 99ddad6d84a97c8411edcb7f37b34c675ce91d4bd60fd864b142fe8b982d2db1
dovecot-debuginfo-2.3.16-7.el9.x86_64.rpm
SHA-256: 2b6ac74af5207d13dfac30dd45799da50b95bbf3fb27ed6442c702158630c629
dovecot-debugsource-2.3.16-7.el9.x86_64.rpm
SHA-256: d7e980a3a6335bc1a96ccfd41bbdd750b16548146878cafd5beadf27b27995ca
dovecot-mysql-2.3.16-7.el9.x86_64.rpm
SHA-256: ab8fe59ede6531f8b4919c16b97a773d94630586ce64af36a583868d420b8d2f
dovecot-mysql-debuginfo-2.3.16-7.el9.x86_64.rpm
SHA-256: ca280523051c52cee9839d72edda85398470d710ba34045e4d01eddc88233731
dovecot-pgsql-2.3.16-7.el9.x86_64.rpm
SHA-256: 276fc9be06250fddf8116ef24d1bcdeb619952ba2032bb79ce30584117b8a38e
dovecot-pgsql-debuginfo-2.3.16-7.el9.x86_64.rpm
SHA-256: 560c482b217d3645580cdc6e034fca692865c364a58292df4ccc0476924154ae
dovecot-pigeonhole-2.3.16-7.el9.x86_64.rpm
SHA-256: b2bae20bbe14035f64cf1d2cb66df917b19f46738cac3060216e6cdb69e3f17c
dovecot-pigeonhole-debuginfo-2.3.16-7.el9.x86_64.rpm
SHA-256: 46f9ffc4079ddfa595edea3ffd251054da2fdd260026eab40874eba1dc3c7149
Red Hat Enterprise Linux for IBM z Systems 9
SRPM
dovecot-2.3.16-7.el9.src.rpm
SHA-256: 56eba7f106f10aa45c99fea52bace9a2a5a27a940e59ad8f6cd6003c41ef80a7
s390x
dovecot-2.3.16-7.el9.s390x.rpm
SHA-256: 134b846185c79489eb471aad33a31efe99cb55c1296c773b88407cdf16423fc5
dovecot-debuginfo-2.3.16-7.el9.s390x.rpm
SHA-256: 68eb3c1bdca797e93a55d2332fb2ee6489e6b11c74a04c892e6c7277b8732091
dovecot-debugsource-2.3.16-7.el9.s390x.rpm
SHA-256: a09d33d6445dcb20a82dfdb9421702aeece166b8504df933612a48ea438fe684
dovecot-mysql-2.3.16-7.el9.s390x.rpm
SHA-256: 3be1d5151081544bba327ec92f1e1f6caae80e90901cae2cf97b99704c5915dc
dovecot-mysql-debuginfo-2.3.16-7.el9.s390x.rpm
SHA-256: f264d996f7f7630c6f0956254d516612d30b3497661c2d7ec304b7e3dc04fe55
dovecot-pgsql-2.3.16-7.el9.s390x.rpm
SHA-256: 2f678989b0436a4d8f2871d33e2775578e32d0a59903ae04028c39a4a1e1a899
dovecot-pgsql-debuginfo-2.3.16-7.el9.s390x.rpm
SHA-256: 656160f60efe6976f58159c03e8fbaeae9103c9944776980775460e988634397
dovecot-pigeonhole-2.3.16-7.el9.s390x.rpm
SHA-256: d54bcc556f6b9c34ed290b210ff11421e06bc4031169704c348a98bfec22ac8d
dovecot-pigeonhole-debuginfo-2.3.16-7.el9.s390x.rpm
SHA-256: bbbd91533223097de134e6a4f14003c650ef3786fe99708e1fbe30cccdc7e2e3
Red Hat Enterprise Linux for Power, little endian 9
SRPM
dovecot-2.3.16-7.el9.src.rpm
SHA-256: 56eba7f106f10aa45c99fea52bace9a2a5a27a940e59ad8f6cd6003c41ef80a7
ppc64le
dovecot-2.3.16-7.el9.ppc64le.rpm
SHA-256: 304c6d816959a358aeb5e35907dffc5b1ce704a2fbf6c1b37309ca1923e5f3c3
dovecot-debuginfo-2.3.16-7.el9.ppc64le.rpm
SHA-256: 9ae30a9db1e163bbbda2392a1588da3f89a77d67de2313dbd0b1fea507633293
dovecot-debugsource-2.3.16-7.el9.ppc64le.rpm
SHA-256: ce752423509d3971659ff42d2c0b8e9cff23dcd6bf5c611614f11544fb43e32c
dovecot-mysql-2.3.16-7.el9.ppc64le.rpm
SHA-256: 6d345b8a9407190109d8f4720c4fb40a20c64ff2f399be2cc30c347482dd1339
dovecot-mysql-debuginfo-2.3.16-7.el9.ppc64le.rpm
SHA-256: 938ee2f2bcc880c94f6a587fbf0f4f4b61670d25a3f1acab11efb061a33aa2b3
dovecot-pgsql-2.3.16-7.el9.ppc64le.rpm
SHA-256: be9564d0134ef70a6b3757dfe342589068289d3e352a39cf1e369b1a002d6fb0
dovecot-pgsql-debuginfo-2.3.16-7.el9.ppc64le.rpm
SHA-256: c81cd3f983d815180f30f38de166c2c30085341af01a0ecba8552533fc42b1fa
dovecot-pigeonhole-2.3.16-7.el9.ppc64le.rpm
SHA-256: eb7d5635a987649a22862aa979629ed320fbef3764cb6b1d60828f510cc4b951
dovecot-pigeonhole-debuginfo-2.3.16-7.el9.ppc64le.rpm
SHA-256: 62391c1091ca828d18e09903d8e9e3899c99b3c1dcedba2e0cf45cf768b1938a
Red Hat Enterprise Linux for ARM 64 9
SRPM
dovecot-2.3.16-7.el9.src.rpm
SHA-256: 56eba7f106f10aa45c99fea52bace9a2a5a27a940e59ad8f6cd6003c41ef80a7
aarch64
dovecot-2.3.16-7.el9.aarch64.rpm
SHA-256: dff8aa74c06e3982ba27d57d84e3b65bf3838cf970f7bd6dd01d290d302f0e43
dovecot-debuginfo-2.3.16-7.el9.aarch64.rpm
SHA-256: 1261fbab61e74a764f62bb2164694fb0fb39e39f55776680057593f51781217e
dovecot-debugsource-2.3.16-7.el9.aarch64.rpm
SHA-256: e1de084e43fcdc7bc256ace2137ade09894deed03feea59990e37dcc0f242868
dovecot-mysql-2.3.16-7.el9.aarch64.rpm
SHA-256: e2bd203163da70099850baceefb99587371c433d25e0eecf5234b573a39d89c2
dovecot-mysql-debuginfo-2.3.16-7.el9.aarch64.rpm
SHA-256: da701cf352a368a629e5d64e011f2c1036ed7227e082dd4f64da2c7400c880f5
dovecot-pgsql-2.3.16-7.el9.aarch64.rpm
SHA-256: 2dbbfc5fba03deda615f412ac15c6cebfecbd6f0d18ddbc8bd47a292b7ee794d
dovecot-pgsql-debuginfo-2.3.16-7.el9.aarch64.rpm
SHA-256: 529afabc9074305651dc24d3488e76bb84373e7f49f528c3c255a91d43277145
dovecot-pigeonhole-2.3.16-7.el9.aarch64.rpm
SHA-256: 137baa28df5bc88de2775d4c8e5ac6c4eeb2899ca7551ad7392ba057408bfdbd
dovecot-pigeonhole-debuginfo-2.3.16-7.el9.aarch64.rpm
SHA-256: b23420553494d5b792ac5ee91a0ca1247362cce8df47a66c152eff0e1fea611f
Red Hat CodeReady Linux Builder for x86_64 9
SRPM
x86_64
dovecot-2.3.16-7.el9.i686.rpm
SHA-256: 1c38fa55e1a42e0118d8a1f2cef25d7c9e1971cdd9e0122e0247a6df554b1696
dovecot-debuginfo-2.3.16-7.el9.i686.rpm
SHA-256: 1ed4c45db2f88e71577c663bd346544ea14bdbc8a7a86b91c50f6e621cb3e13f
dovecot-debuginfo-2.3.16-7.el9.x86_64.rpm
SHA-256: 2b6ac74af5207d13dfac30dd45799da50b95bbf3fb27ed6442c702158630c629
dovecot-debugsource-2.3.16-7.el9.i686.rpm
SHA-256: c4610844df94fb1aa6d301d83d539f084771f45370cab07ea87a1560096c4fed
dovecot-debugsource-2.3.16-7.el9.x86_64.rpm
SHA-256: d7e980a3a6335bc1a96ccfd41bbdd750b16548146878cafd5beadf27b27995ca
dovecot-devel-2.3.16-7.el9.i686.rpm
SHA-256: cb140bd1b7658d0268f1bd03027ebab37edd56937b789bc930fc8918bf237df3
dovecot-devel-2.3.16-7.el9.x86_64.rpm
SHA-256: 05062680c1ef4c377f355c3c19b96c5d551668deb680725c8308648388c0bb5e
dovecot-mysql-debuginfo-2.3.16-7.el9.i686.rpm
SHA-256: 4de0dc22ead64403e8cf7bd0234d3cb0bce2bba13ad4df9e0519a8fd1aebad95
dovecot-mysql-debuginfo-2.3.16-7.el9.x86_64.rpm
SHA-256: ca280523051c52cee9839d72edda85398470d710ba34045e4d01eddc88233731
dovecot-pgsql-debuginfo-2.3.16-7.el9.i686.rpm
SHA-256: af1149d7cf772c5f89d1b93e11b05c53e234445547d7d6f899f2299b36b16830
dovecot-pgsql-debuginfo-2.3.16-7.el9.x86_64.rpm
SHA-256: 560c482b217d3645580cdc6e034fca692865c364a58292df4ccc0476924154ae
dovecot-pigeonhole-debuginfo-2.3.16-7.el9.i686.rpm
SHA-256: b22bfac6263ed21d4e36a8f182d92d21fbd26ed0bb0ca34cb040d504b882c590
dovecot-pigeonhole-debuginfo-2.3.16-7.el9.x86_64.rpm
SHA-256: 46f9ffc4079ddfa595edea3ffd251054da2fdd260026eab40874eba1dc3c7149
Red Hat CodeReady Linux Builder for Power, little endian 9
SRPM
ppc64le
dovecot-debuginfo-2.3.16-7.el9.ppc64le.rpm
SHA-256: 9ae30a9db1e163bbbda2392a1588da3f89a77d67de2313dbd0b1fea507633293
dovecot-debugsource-2.3.16-7.el9.ppc64le.rpm
SHA-256: ce752423509d3971659ff42d2c0b8e9cff23dcd6bf5c611614f11544fb43e32c
dovecot-devel-2.3.16-7.el9.ppc64le.rpm
SHA-256: 888a7745db745eb17168efbe624a88bd36b26d593e232cb278a0c0df92c4e47c
dovecot-mysql-debuginfo-2.3.16-7.el9.ppc64le.rpm
SHA-256: 938ee2f2bcc880c94f6a587fbf0f4f4b61670d25a3f1acab11efb061a33aa2b3
dovecot-pgsql-debuginfo-2.3.16-7.el9.ppc64le.rpm
SHA-256: c81cd3f983d815180f30f38de166c2c30085341af01a0ecba8552533fc42b1fa
dovecot-pigeonhole-debuginfo-2.3.16-7.el9.ppc64le.rpm
SHA-256: 62391c1091ca828d18e09903d8e9e3899c99b3c1dcedba2e0cf45cf768b1938a
Red Hat CodeReady Linux Builder for ARM 64 9
SRPM
aarch64
dovecot-debuginfo-2.3.16-7.el9.aarch64.rpm
SHA-256: 1261fbab61e74a764f62bb2164694fb0fb39e39f55776680057593f51781217e
dovecot-debugsource-2.3.16-7.el9.aarch64.rpm
SHA-256: e1de084e43fcdc7bc256ace2137ade09894deed03feea59990e37dcc0f242868
dovecot-devel-2.3.16-7.el9.aarch64.rpm
SHA-256: e09d784204eb4850627de0631eeaf2d6aca65dfdf8f662f949d39115b33c86c9
dovecot-mysql-debuginfo-2.3.16-7.el9.aarch64.rpm
SHA-256: da701cf352a368a629e5d64e011f2c1036ed7227e082dd4f64da2c7400c880f5
dovecot-pgsql-debuginfo-2.3.16-7.el9.aarch64.rpm
SHA-256: 529afabc9074305651dc24d3488e76bb84373e7f49f528c3c255a91d43277145
dovecot-pigeonhole-debuginfo-2.3.16-7.el9.aarch64.rpm
SHA-256: b23420553494d5b792ac5ee91a0ca1247362cce8df47a66c152eff0e1fea611f
Red Hat CodeReady Linux Builder for IBM z Systems 9
SRPM
s390x
dovecot-debuginfo-2.3.16-7.el9.s390x.rpm
SHA-256: 68eb3c1bdca797e93a55d2332fb2ee6489e6b11c74a04c892e6c7277b8732091
dovecot-debugsource-2.3.16-7.el9.s390x.rpm
SHA-256: a09d33d6445dcb20a82dfdb9421702aeece166b8504df933612a48ea438fe684
dovecot-devel-2.3.16-7.el9.s390x.rpm
SHA-256: fa82d8569688b39c0afbe4bb59a657778621d74ea28776a81f467f489749436b
dovecot-mysql-debuginfo-2.3.16-7.el9.s390x.rpm
SHA-256: f264d996f7f7630c6f0956254d516612d30b3497661c2d7ec304b7e3dc04fe55
dovecot-pgsql-debuginfo-2.3.16-7.el9.s390x.rpm
SHA-256: 656160f60efe6976f58159c03e8fbaeae9103c9944776980775460e988634397
dovecot-pigeonhole-debuginfo-2.3.16-7.el9.s390x.rpm
SHA-256: bbbd91533223097de134e6a4f14003c650ef3786fe99708e1fbe30cccdc7e2e3
Related news
Gentoo Linux Security Advisory 202310-19 - A vulnerability has been discovered in Dovecot that can lead to a privilege escalation when master and non-master passdbs are used. Versions greater than or equal to 2.3.19.1-r1 are affected.
Red Hat Security Advisory 2022-8208-01 - Dovecot is an IMAP server for Linux and other UNIX-like systems, written primarily with security in mind. It also contains a small POP3 server, and supports e-mail in either the maildir or mbox format. The SQL drivers and authentication plug-ins are provided as subpackages. Issues addressed include a privilege escalation vulnerability.
An update for dovecot is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-30550: dovecot: Privilege escalation when similar master and non-master passdbs are used
An issue was discovered in the auth component in Dovecot 2.2 and 2.3 before 2.3.20. When two passdb configuration entries exist with the same driver and args settings, incorrect username_filter and mechanism settings can be applied to passdb definitions. These incorrectly applied settings can lead to an unintended security configuration and can permit privilege escalation in certain configurations. The documentation does not advise against the use of passdb definitions that have the same driver and args settings. One such configuration would be where an administrator wishes to use the same PAM configuration or passwd file for both normal and master users but use the username_filter setting to restrict which of the users is able to be a master user.
Ubuntu Security Notice 5509-1 - Julian Brook discovered that Dovecot incorrectly handled multiple passdb configuration entries. In certain configurations, a remote attacker could possibly use this issue to escalate privileges.
Dovecot IMAP server version 2.2 suffers from a privilege escalation vulnerability. When two passdb configuration entries exist in the Dovecot configuration, which have the same driver and args settings, the incorrect username_filter and mechanism settings can be applied to passdb definitions. These incorrectly applied settings can lead to an unintended security configuration and can permit privilege escalation with certain configurations involving master user authentication.