AW: CVE-2019-11500: Critical vulnerability in Dovecot and Pigeonhole
Aki Tuomi
aki.tuomi at open-xchange.com
Mon Sep 2 13:03:16 EEST 2019
On 2.9.2019 12.51, MK via dovecot wrote:
>>> On 2 Sep 2019, at 11.01, MK via dovecot <dovecot at dovecot.org> wrote:
>>>
>>> Good Morning List,
>>>
>>> just a short question to this vulnerability. We are using a setup with dovecot redirector/proxy frontend servers
>>> and some backend server, which store the mailboxes.
>>> Is it anough to update the frontend servers if I like to fix the the vulnerability?
>> No.
>>
>> Sami
> Thanks. Do I understand this correct that updating the frontends fixes only the vulnerability for anonymous requests
> and for users logged in the vulnerability still exists if I don't update the backend servers?
>
> Oliver
>
You are correct. After authentication proxies & directors will forward
data as-is to backend, which leaves you vulnerable to post-auth
vulnerability.
Aki
More information about the dovecot
mailing list