Headline
RHSA-2022:7623: Red Hat Security Advisory: dovecot security update
An update for dovecot is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
Related CVEs:
- CVE-2022-30550: dovecot: Privilege escalation when similar master and non-master passdbs are used
Synopsis
Moderate: dovecot security update
Type/Severity
Security Advisory: Moderate
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
View affected systems
Topic
An update for dovecot is now available for Red Hat Enterprise Linux 8.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
Dovecot is an IMAP server for Linux and other UNIX-like systems, written primarily with security in mind. It also contains a small POP3 server and supports e-mail in either the maildir or mbox format. The SQL drivers and authentication plug-ins are provided as subpackages.
Security Fix(es):
- dovecot: Privilege escalation when similar master and non-master passdbs are used (CVE-2022-30550)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.7 Release Notes linked from the References section.
Affected Products
- Red Hat Enterprise Linux for x86_64 8 x86_64
- Red Hat Enterprise Linux for IBM z Systems 8 s390x
- Red Hat Enterprise Linux for Power, little endian 8 ppc64le
- Red Hat Enterprise Linux for ARM 64 8 aarch64
- Red Hat CodeReady Linux Builder for x86_64 8 x86_64
- Red Hat CodeReady Linux Builder for Power, little endian 8 ppc64le
- Red Hat CodeReady Linux Builder for ARM 64 8 aarch64
- Red Hat CodeReady Linux Builder for IBM z Systems 8 s390x
Fixes
- BZ - 2105070 - CVE-2022-30550 dovecot: Privilege escalation when similar master and non-master passdbs are used
References
- https://access.redhat.com/security/updates/classification/#moderate
- https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.7_release_notes/index
Red Hat Enterprise Linux for x86_64 8
SRPM
dovecot-2.3.16-3.el8.src.rpm
SHA-256: 0685191f1904c59a1f9199996701ca88a24e90f4e6797cc55dc4ae6285785e26
x86_64
dovecot-2.3.16-3.el8.x86_64.rpm
SHA-256: 4dbf7afb486b89f1ab1eb54ed2b4555920d2adfa96e44db0cd13b2add298fcdf
dovecot-debuginfo-2.3.16-3.el8.x86_64.rpm
SHA-256: 29405228d1570a30a1f2236370d295b483736baa4f0b6d9875f99b8d948fe9ea
dovecot-debugsource-2.3.16-3.el8.x86_64.rpm
SHA-256: 4316cfa5a4957fbe5e7de28880a88764ff30facd1ed1184fa442bd2ec607cce3
dovecot-mysql-2.3.16-3.el8.x86_64.rpm
SHA-256: 43d636bfff1b65750c98541c18a96b8fb64463baff30e51389e6ff7021c5ee13
dovecot-mysql-debuginfo-2.3.16-3.el8.x86_64.rpm
SHA-256: 967bfad11b7b9c8e118be81bfb93309408684394ce36242afdd396323357d7bf
dovecot-pgsql-2.3.16-3.el8.x86_64.rpm
SHA-256: 8fc842f462641e837341512e2a725fe44c54489884cdacd9ee4264f7cdf93ebd
dovecot-pgsql-debuginfo-2.3.16-3.el8.x86_64.rpm
SHA-256: 733c5b085be625dc31aa87be09b017837c31e03831dc764e51f61a3851acc96e
dovecot-pigeonhole-2.3.16-3.el8.x86_64.rpm
SHA-256: 096641a1ab0ff4b33f2920520019d20fff8e0904f48568389476ce90555b18fa
dovecot-pigeonhole-debuginfo-2.3.16-3.el8.x86_64.rpm
SHA-256: 740077eb1fc9fb5a2a2d72e37b4b1db2d92610e68d5fd7670015a573f03231a4
Red Hat Enterprise Linux for IBM z Systems 8
SRPM
dovecot-2.3.16-3.el8.src.rpm
SHA-256: 0685191f1904c59a1f9199996701ca88a24e90f4e6797cc55dc4ae6285785e26
s390x
dovecot-2.3.16-3.el8.s390x.rpm
SHA-256: 8d2acda3f0bc0d82c5588e13336e61a34f6ae32de87e5592098289c7132599e6
dovecot-debuginfo-2.3.16-3.el8.s390x.rpm
SHA-256: 3b5e4a4d7d593ebfd03b3b729e8de07c9b0a25292f0c1e78e58c1785f4f34d6f
dovecot-debugsource-2.3.16-3.el8.s390x.rpm
SHA-256: 0608dd6da35527125c6d4268837bc796df3b69ccbf6bdafabb2a1a6541f58415
dovecot-mysql-2.3.16-3.el8.s390x.rpm
SHA-256: e7cdf1b8b21a83f6c81f1cf3b79cd504cf5c8013ea4a6e32622620e2dbbd5514
dovecot-mysql-debuginfo-2.3.16-3.el8.s390x.rpm
SHA-256: 9a292cf35c8e7617b3c7219b6c411f1cb2134fa74c37e9eadc55373e917e0c8c
dovecot-pgsql-2.3.16-3.el8.s390x.rpm
SHA-256: b0644ab7221636bf569a0c59cf4de6c9c3d619e9d7d3533a91b13744f2928fa0
dovecot-pgsql-debuginfo-2.3.16-3.el8.s390x.rpm
SHA-256: 9bdc18d8e63389c42108e70bc46f32075c151c8ae2eb3a845862377d9ffd07f6
dovecot-pigeonhole-2.3.16-3.el8.s390x.rpm
SHA-256: 58688ceb569f14130c88402056ac851b98c453a37482dad58c686f4a7e5b8edc
dovecot-pigeonhole-debuginfo-2.3.16-3.el8.s390x.rpm
SHA-256: 11e6d299d84e904e9996f9ac6441d6e3c0f0e0607e3cef1c7971b2190c9406a8
Red Hat Enterprise Linux for Power, little endian 8
SRPM
dovecot-2.3.16-3.el8.src.rpm
SHA-256: 0685191f1904c59a1f9199996701ca88a24e90f4e6797cc55dc4ae6285785e26
ppc64le
dovecot-2.3.16-3.el8.ppc64le.rpm
SHA-256: 12480dbef0e2faa7e73ce47c262185af681a0caa3ab95fcaf243a9806108d9f0
dovecot-debuginfo-2.3.16-3.el8.ppc64le.rpm
SHA-256: 72de083cb3ef7d92e14879b8298e3ecc9cb65afe8a2028bbb97ccb3b8e58c50d
dovecot-debugsource-2.3.16-3.el8.ppc64le.rpm
SHA-256: 880ad478c24e6946ac9a8d1d5745855bc024727a6caef8e241d6e5b7a4638bf8
dovecot-mysql-2.3.16-3.el8.ppc64le.rpm
SHA-256: 5a2143ef484d111296bc2e6684378e51d57cba83d1b8ffb4968fd4c6152652c8
dovecot-mysql-debuginfo-2.3.16-3.el8.ppc64le.rpm
SHA-256: 3385d00e8516d91e38bb5e807f6c2f66f34825600896c2866f030d53d137c030
dovecot-pgsql-2.3.16-3.el8.ppc64le.rpm
SHA-256: e1e355df5b263491e6a85899dd2fe7f8dd9d6fa50b9fcdeed6f2b14c12aa9951
dovecot-pgsql-debuginfo-2.3.16-3.el8.ppc64le.rpm
SHA-256: 9c91669facb2e69349d058111a3e4b8365469fac8c380bdc0b60e3c76d9c12ca
dovecot-pigeonhole-2.3.16-3.el8.ppc64le.rpm
SHA-256: c68ded92de293189279bbd19a012fad963962d29613cfd8db7dde0fc3d4c9436
dovecot-pigeonhole-debuginfo-2.3.16-3.el8.ppc64le.rpm
SHA-256: b39ea4dbcdd67d13ac9df00b56715fc5e747192636a5a2407f502c8f5dfe3617
Red Hat Enterprise Linux for ARM 64 8
SRPM
dovecot-2.3.16-3.el8.src.rpm
SHA-256: 0685191f1904c59a1f9199996701ca88a24e90f4e6797cc55dc4ae6285785e26
aarch64
dovecot-2.3.16-3.el8.aarch64.rpm
SHA-256: 8f1777df0f5084b9f5945a58fac360489b8a48f4adf72e0dba55e5265b76dd77
dovecot-debuginfo-2.3.16-3.el8.aarch64.rpm
SHA-256: 12fefa8faca5e323f7065ef7f0f015e3c32982a102b152399cbdf7dfde149fe7
dovecot-debugsource-2.3.16-3.el8.aarch64.rpm
SHA-256: e0b5b86d3bb7b12af1fdef3b3f2d29e3170da095c3fe774561310c1173b35dcc
dovecot-mysql-2.3.16-3.el8.aarch64.rpm
SHA-256: 1164babff90a42e6c9b2e08957800f1728a9cc009bd5354c3ca137c2d1cde964
dovecot-mysql-debuginfo-2.3.16-3.el8.aarch64.rpm
SHA-256: d61ec2678b1f6f0ebfb515559d7754b76fd5ebc9b24d094604645f35d25f1cb6
dovecot-pgsql-2.3.16-3.el8.aarch64.rpm
SHA-256: d69527539e97377c9340b1248d806193ea17ed1aa6b710ec0f420f2af6f1015d
dovecot-pgsql-debuginfo-2.3.16-3.el8.aarch64.rpm
SHA-256: ea794bb7776adcec3693657a1fe13562973eb007cb6793118530cd957cec675f
dovecot-pigeonhole-2.3.16-3.el8.aarch64.rpm
SHA-256: 4d4dcca09dd0deeb74cd7e0cab87db1ae33e07e77a229bc9a2b0022da014f62d
dovecot-pigeonhole-debuginfo-2.3.16-3.el8.aarch64.rpm
SHA-256: e53c1fc821dc9a526fdd0370ca7f06a82d9d8ddf95ac6e10925af43d2e1fb004
Red Hat CodeReady Linux Builder for x86_64 8
SRPM
x86_64
dovecot-2.3.16-3.el8.i686.rpm
SHA-256: 9ddb0f6656e4b8ac64805555791944aaf813e19df65da59b00abd83715899054
dovecot-debuginfo-2.3.16-3.el8.i686.rpm
SHA-256: b8db37c9c0a963877f79884b2440a7bc4e34b248d517780168dd8d9fd28c373e
dovecot-debuginfo-2.3.16-3.el8.x86_64.rpm
SHA-256: 29405228d1570a30a1f2236370d295b483736baa4f0b6d9875f99b8d948fe9ea
dovecot-debugsource-2.3.16-3.el8.i686.rpm
SHA-256: c9fefcd0a5449c5378d03e85f1d9ec0cedf0c143a658c333121e356344b531bb
dovecot-debugsource-2.3.16-3.el8.x86_64.rpm
SHA-256: 4316cfa5a4957fbe5e7de28880a88764ff30facd1ed1184fa442bd2ec607cce3
dovecot-devel-2.3.16-3.el8.i686.rpm
SHA-256: 31c0a0d9ac0a2791a0e9ab5861596a9e321ca8a2e2e021c704cfb1c95a617e57
dovecot-devel-2.3.16-3.el8.x86_64.rpm
SHA-256: 01ae58b99b9da3fb3e7bba4de7039339e5a66481d6f46cb0d0c052641ea55570
dovecot-mysql-debuginfo-2.3.16-3.el8.i686.rpm
SHA-256: 74ca21c312298e33f18ddb0b345a70e4a9ce6e9e0c93b28fb719213093d698fe
dovecot-mysql-debuginfo-2.3.16-3.el8.x86_64.rpm
SHA-256: 967bfad11b7b9c8e118be81bfb93309408684394ce36242afdd396323357d7bf
dovecot-pgsql-debuginfo-2.3.16-3.el8.i686.rpm
SHA-256: 072ddd9e5ceaaf45c1f23aca73d0d062f753ee737ae184c0600978669ef4d704
dovecot-pgsql-debuginfo-2.3.16-3.el8.x86_64.rpm
SHA-256: 733c5b085be625dc31aa87be09b017837c31e03831dc764e51f61a3851acc96e
dovecot-pigeonhole-debuginfo-2.3.16-3.el8.i686.rpm
SHA-256: 3080cef7f06807bc1c34ee18b0581e892f373fbc579568ed6ae7362a42431558
dovecot-pigeonhole-debuginfo-2.3.16-3.el8.x86_64.rpm
SHA-256: 740077eb1fc9fb5a2a2d72e37b4b1db2d92610e68d5fd7670015a573f03231a4
Red Hat CodeReady Linux Builder for Power, little endian 8
SRPM
ppc64le
dovecot-debuginfo-2.3.16-3.el8.ppc64le.rpm
SHA-256: 72de083cb3ef7d92e14879b8298e3ecc9cb65afe8a2028bbb97ccb3b8e58c50d
dovecot-debugsource-2.3.16-3.el8.ppc64le.rpm
SHA-256: 880ad478c24e6946ac9a8d1d5745855bc024727a6caef8e241d6e5b7a4638bf8
dovecot-devel-2.3.16-3.el8.ppc64le.rpm
SHA-256: 579df8a4cc42b975fe6445f54aaa049441c3bffd0985eafcad263eb092dc82bf
dovecot-mysql-debuginfo-2.3.16-3.el8.ppc64le.rpm
SHA-256: 3385d00e8516d91e38bb5e807f6c2f66f34825600896c2866f030d53d137c030
dovecot-pgsql-debuginfo-2.3.16-3.el8.ppc64le.rpm
SHA-256: 9c91669facb2e69349d058111a3e4b8365469fac8c380bdc0b60e3c76d9c12ca
dovecot-pigeonhole-debuginfo-2.3.16-3.el8.ppc64le.rpm
SHA-256: b39ea4dbcdd67d13ac9df00b56715fc5e747192636a5a2407f502c8f5dfe3617
Red Hat CodeReady Linux Builder for ARM 64 8
SRPM
aarch64
dovecot-debuginfo-2.3.16-3.el8.aarch64.rpm
SHA-256: 12fefa8faca5e323f7065ef7f0f015e3c32982a102b152399cbdf7dfde149fe7
dovecot-debugsource-2.3.16-3.el8.aarch64.rpm
SHA-256: e0b5b86d3bb7b12af1fdef3b3f2d29e3170da095c3fe774561310c1173b35dcc
dovecot-devel-2.3.16-3.el8.aarch64.rpm
SHA-256: fa817eaef697c083824c195cbf5401fd73c069c4818b4eb2ceb2e98a139a8363
dovecot-mysql-debuginfo-2.3.16-3.el8.aarch64.rpm
SHA-256: d61ec2678b1f6f0ebfb515559d7754b76fd5ebc9b24d094604645f35d25f1cb6
dovecot-pgsql-debuginfo-2.3.16-3.el8.aarch64.rpm
SHA-256: ea794bb7776adcec3693657a1fe13562973eb007cb6793118530cd957cec675f
dovecot-pigeonhole-debuginfo-2.3.16-3.el8.aarch64.rpm
SHA-256: e53c1fc821dc9a526fdd0370ca7f06a82d9d8ddf95ac6e10925af43d2e1fb004
Red Hat CodeReady Linux Builder for IBM z Systems 8
SRPM
s390x
dovecot-debuginfo-2.3.16-3.el8.s390x.rpm
SHA-256: 3b5e4a4d7d593ebfd03b3b729e8de07c9b0a25292f0c1e78e58c1785f4f34d6f
dovecot-debugsource-2.3.16-3.el8.s390x.rpm
SHA-256: 0608dd6da35527125c6d4268837bc796df3b69ccbf6bdafabb2a1a6541f58415
dovecot-devel-2.3.16-3.el8.s390x.rpm
SHA-256: 5aac414fea8e2ce5a53f0fae4b67dbddeb140d8672cfd927377e62e15b734d69
dovecot-mysql-debuginfo-2.3.16-3.el8.s390x.rpm
SHA-256: 9a292cf35c8e7617b3c7219b6c411f1cb2134fa74c37e9eadc55373e917e0c8c
dovecot-pgsql-debuginfo-2.3.16-3.el8.s390x.rpm
SHA-256: 9bdc18d8e63389c42108e70bc46f32075c151c8ae2eb3a845862377d9ffd07f6
dovecot-pigeonhole-debuginfo-2.3.16-3.el8.s390x.rpm
SHA-256: 11e6d299d84e904e9996f9ac6441d6e3c0f0e0607e3cef1c7971b2190c9406a8
Related news
Gentoo Linux Security Advisory 202310-19 - A vulnerability has been discovered in Dovecot that can lead to a privilege escalation when master and non-master passdbs are used. Versions greater than or equal to 2.3.19.1-r1 are affected.
Red Hat Security Advisory 2022-8208-01 - Dovecot is an IMAP server for Linux and other UNIX-like systems, written primarily with security in mind. It also contains a small POP3 server, and supports e-mail in either the maildir or mbox format. The SQL drivers and authentication plug-ins are provided as subpackages. Issues addressed include a privilege escalation vulnerability.
An update for dovecot is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-30550: dovecot: Privilege escalation when similar master and non-master passdbs are used
An issue was discovered in the auth component in Dovecot 2.2 and 2.3 before 2.3.20. When two passdb configuration entries exist with the same driver and args settings, incorrect username_filter and mechanism settings can be applied to passdb definitions. These incorrectly applied settings can lead to an unintended security configuration and can permit privilege escalation in certain configurations. The documentation does not advise against the use of passdb definitions that have the same driver and args settings. One such configuration would be where an administrator wishes to use the same PAM configuration or passwd file for both normal and master users but use the username_filter setting to restrict which of the users is able to be a master user.
Ubuntu Security Notice 5509-1 - Julian Brook discovered that Dovecot incorrectly handled multiple passdb configuration entries. In certain configurations, a remote attacker could possibly use this issue to escalate privileges.
Dovecot IMAP server version 2.2 suffers from a privilege escalation vulnerability. When two passdb configuration entries exist in the Dovecot configuration, which have the same driver and args settings, the incorrect username_filter and mechanism settings can be applied to passdb definitions. These incorrectly applied settings can lead to an unintended security configuration and can permit privilege escalation with certain configurations involving master user authentication.