安全公告详情

NS-SA-2019-0220

2019-11-22 16:16:53

简介

important: dovecot/mod_auth_openidc security update

严重级别

important

主题

An update for dovecot/mod_auth_openidc is now available for NewStart CGSL MAIN 5.04/CGSL CORE 5.04.
NewStart Security has rated this update as having a security impact of important. A Common Vunlnerability Scoring System(CVSS)base score, which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.

详细描述

dovecot: Dovecot is an IMAP server for Linux/UNIX-like systems, written with security primarily in mind. It also contains a small POP3 server. It supports mail in either of maildir or mbox formats. The SQL drivers and authentication plug-ins are in their subpackages.
mod_auth_openidc: This module enables an Apache 2.x web server to operate as an OpenID Connect Relying Party and/or OAuth 2.0 Resource Server.


Security Fix(es):
dovecot: In Dovecot before 2.2.36.4 and 2.3.x before 2.3.7.2 (and Pigeonhole before 0.5.7.2), protocol processing can fail for quoted strings. This occurs because '\0' characters are mishandled, and can lead to out-of-bounds writes and remote code execution.(CVE-2019-11500)
dovecot: bugfix
mod_auth_openidc: It was found that mod_auth_openidc did not properly sanitize HTTP headers for certain request paths. A remote attacker could potentially use this flaw to bypass authentication and access sensitive information by sending crafted HTTP requests.(CVE-2017-6413)
mod_auth_openidc: A text injection flaw was found in how mod_auth_openidc handled error pages. An attacker could potentially use this flaw to conduct content spoofing and phishing attacks by tricking users into opening specially crafted URLs.(CVE-2017-6059)
mod_auth_openidc: bugfix


Solution:
For details on how to apply this update, which includes the changes described in this advisory, refer to:
http://security.gd-linux.com/how_to_apply_patch.html
Remember the build tag is 5.04.F19.

影响组件

  • dovecot
  • mod_auth_openidc

影响产品

  • CGSL MAIN 5.04
  • CGSL CORE 5.04

更新包

{"fix":[{"product":"CGSL MAIN 5.04","pkgs":[{"binary":["dovecot-2.2.36-3.el7_7.1.x86_64.rpm","dovecot-debuginfo-2.2.36-3.el7_7.1.x86_64.rpm","dovecot-devel-2.2.36-3.el7_7.1.x86_64.rpm","dovecot-mysql-2.2.36-3.el7_7.1.x86_64.rpm","dovecot-pgsql-2.2.36-3.el7_7.1.x86_64.rpm","dovecot-pigeonhole-2.2.36-3.el7_7.1.x86_64.rpm"],"source":"dovecot-2.2.36-3.el7_7.1.src.rpm"},{"binary":["mod_auth_openidc-1.8.8-5.el7.x86_64.rpm","mod_auth_openidc-debuginfo-1.8.8-5.el7.x86_64.rpm"],"source":"mod_auth_openidc-1.8.8-5.el7.src.rpm"}]},{"product":"CGSL CORE 5.04","pkgs":[{"binary":["dovecot-2.2.36-3.el7_7.1.x86_64.rpm","dovecot-debuginfo-2.2.36-3.el7_7.1.x86_64.rpm","dovecot-devel-2.2.36-3.el7_7.1.x86_64.rpm","dovecot-mysql-2.2.36-3.el7_7.1.x86_64.rpm","dovecot-pgsql-2.2.36-3.el7_7.1.x86_64.rpm","dovecot-pigeonhole-2.2.36-3.el7_7.1.x86_64.rpm"],"source":"dovecot-2.2.36-3.el7_7.1.src.rpm"},{"binary":["mod_auth_openidc-1.8.8-5.el7.x86_64.rpm","mod_auth_openidc-debuginfo-1.8.8-5.el7.x86_64.rpm"],"source":"mod_auth_openidc-1.8.8-5.el7.src.rpm"}]}]}

CVE

参考