search for: jwt

...fication: 2021-03-22 Solution date: 2021-04-14 Public disclosure: 2021-06-21 CVE reference: CVE-2021-29157 CVSS: 6.7 (CVSS3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N) Researcher credit: Kirin of Tencent Security Xuanwu Lab Vulnerability Details: Dovecot does not correctly escape kid and azp fields in JWT tokens. This may be used to supply attacker controlled keys to validate tokens in some configurations. This requires attacker to be able to write files to local disk. Risk: Local attacker can login as any user and access their emails. Workaround: Disable local JWT validation in oauth2, or use a...

...fication: 2021-03-22 Solution date: 2021-04-14 Public disclosure: 2021-06-21 CVE reference: CVE-2021-29157 CVSS: 6.7 (CVSS3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N) Researcher credit: Kirin of Tencent Security Xuanwu Lab Vulnerability Details: Dovecot does not correctly escape kid and azp fields in JWT tokens. This may be used to supply attacker controlled keys to validate tokens in some configurations. This requires attacker to be able to write files to local disk. Risk: Local attacker can login as any user and access their emails. Workaround: Disable local JWT validation in oauth2, or use a...

Hello, my IdP is kind of progressive and implemented RFC9068, where all access tokens now come with typ "at+JWT". Since the setup has used local validation, I had to switch and currently use introspection endpoint. Looked around at the src and there seems to be relatively simple check of the token typ checking the only fixed value of "JWT" -- do you think you could consider tuning it a little...

..."); ``` I then use passthrough events like the following: ``` e_debug(event_create_passthrough(data->event)->event(), "Modified mailbox_list_iter_init was called."); e_warning(event_create_passthrough(event)->event(), "Did not find required key 'roles' in the JWT body."); ``` `e_warning` and `e_error` work fine. If I understand the documentation for the unified event filtering (https://doc.dovecot.org/configuration_manual/event_filter/#unified-filter-language) correctly, I should be able to enable debug logging for with `log_debug = event="oidc_s...

In a Box and Whisker plot, I thought that when there are outliers both abov= e and below the whiskers, then the whiskers should both be the same length = (plus or minus 1.5 times the inter-quartile range). If you look at the plot for SilwoodWeather on p.155 of The R Book you will = see that for November (month =3D 11) the upper whisker is shorter than the = lower, while for other months with

...uot; * *-login: Changed logging done by proxying to use a consistent prefix ? containing the IP address and port. * *-login: Changed disconnection log messages to be slightly clearer. + dict: Add events for dictionaries. + lib-index: Finish logging with events. + oauth2: Support local validation of JWT tokens. + stats: Add support for dynamic histograms and grouping. See ? https://doc.dovecot.org/configuration_manual/stats/. + imap: Implement RFC 8514: IMAP SAVEDATE + lib-index: If a long-running transaction (e.g. SORT/FETCH on a huge ? folder) adds a lot of data to dovecot.index.cache file, comm...

...uot; * *-login: Changed logging done by proxying to use a consistent prefix ? containing the IP address and port. * *-login: Changed disconnection log messages to be slightly clearer. + dict: Add events for dictionaries. + lib-index: Finish logging with events. + oauth2: Support local validation of JWT tokens. + stats: Add support for dynamic histograms and grouping. See ? https://doc.dovecot.org/configuration_manual/stats/. + imap: Implement RFC 8514: IMAP SAVEDATE + lib-index: If a long-running transaction (e.g. SORT/FETCH on a huge ? folder) adds a lot of data to dovecot.index.cache file, comm...

...or the sake of giving users the freedom to cooperate in a community. And if users don't know this, they will be in danger of losing their freedom. --Richard Stallman Public Key -------xxxxx cut here xxx-------- AAAAB3NzaC1kc3MAAACBAOJrx7vi+A+tR0pz/nwP8StnPJUOLmwXnxpvb0ty4qyiTzIY3wBmAr37OIccs0+JWT+mXi4mnaFCqoh7YRuhaBhIZ9lqxXGb1r8QnAiEDlrOtjVZTebyrP48awYilSE990/9Mt2ndflcWKoY0Jw1QcsZBCxctOj9sMIFr295xCcLAAAAFQDueRoBYb9ieF7KwvhZ9SlA92BFcQAAAIAY4QidL/eu15JaVWwNrs6Xys8+t2+1h331+G88guxl2q6AMCqgtuZMGomLNVIDN6plZPfxRB6UZYN8q+i03hFErCtX8sk9xO+g5RV8BrC0n87RohNVxm/++fblJ7sNxGYW/eIIm/AduLBhIPe11GDVFA5Km+...

Hi I'm running Dovecot 1.0 stable and getting error like this: dovecot: Jun 07 11:51:00 Info: Dovecot v1.0-stable starting up dovecot: Jun 07 11:51:01 Info: auth(default): mysql: Connected to postfix Dovecot: Jun 07 11:47:34 Info: imap-login: Login failed: Plaintext authentication disabled [85.76.231.143] dovecot.conf Authentication processes section looks like: auth default { mechanisms

I just installed the latest alpha on Debian Sarge and am getting a lot of this sort of error: Oct 4 16:18:58 tarsier dovecot: imap-login: Disconnected: rip=70.209.254.178, lip=192.168.50.105, TLS Oct 4 16:19:04 tarsier dovecot: imap(jeff): mbox sync: UID inserted in the middle of mailbox /home/jeff/mail/Junk (329 > 274, seq=2, idx_msgs=55) Oct 4 16:19:07 tarsier dovecot: imap(jeff): mbox

...3/dovecot-2.3.14.1.tar.gz.sig> Binary packages in https://repo.dovecot.org/ <https://repo.dovecot.org/> Docker images in https://hub.docker.com/r/dovecot/dovecot <https://hub.docker.com/r/dovecot/dovecot> * CVE-2021-29157: Dovecot does not correctly escape kid and azp fields in JWT tokens. This may be used to supply attacker controlled keys to validate tokens, if attacker has local access. * CVE-2021-33515: On-path attacker could have injected plaintext commands before STARTTLS negotiation that would be executed after STARTTLS finished with the client. - lib-index:...

...3/dovecot-2.3.14.1.tar.gz.sig> Binary packages in https://repo.dovecot.org/ <https://repo.dovecot.org/> Docker images in https://hub.docker.com/r/dovecot/dovecot <https://hub.docker.com/r/dovecot/dovecot> * CVE-2021-29157: Dovecot does not correctly escape kid and azp fields in JWT tokens. This may be used to supply attacker controlled keys to validate tokens, if attacker has local access. * CVE-2021-33515: On-path attacker could have injected plaintext commands before STARTTLS negotiation that would be executed after STARTTLS finished with the client. - lib-index:...

Hello, Over the last 12 hours or so, I've been wrestling with a mysterious dovecot issue. After upgrading a mail server I'm helping my friend with maintaining from Fedora Core1 to Fedora Core4, I realized that I couldn't use UW-IMAP4 anymore (well, I can compile it myself, but it turned out that UW-IMAP was the main cause of the server's having load average as high as 30 from

On Tue, Mar 7, 2023, at 3:25 AM, Rory Campbell-Lange wrote: > On 07/03/23, Darren Tucker (dtucker at dtucker.net) wrote: >> On Tue, 7 Mar 2023 at 05:26, Andy Lutomirski <luto at kernel.org> wrote: >> [...] >> > ssh_config contains a Match ... exec [command to refresh the certificate]. >> > This sort of works, except that it runs the command far too

.... - lib-mail: When max nested MIME parts were reached, IMAP BODYSTRUCTURE was written in a way that may have caused confusion for IMAP clients and also Dovecot itself when parsing it. The truncated part is now written out using application/octet-stream MIME type. - lib-oauth2: HS512 and HS384 JWT token algorithms crash when you try to use them: Panic: file hmac.c: line 26 (hmac_init): assertion failed: (meth->context_size <= MAC_MAX_CONTEXT_SIZE). - event filters: NOT keyword did not have the correct associativity. NOT a AND b were getting parsed as NOT (a AND b) instead of (N...

.... - lib-mail: When max nested MIME parts were reached, IMAP BODYSTRUCTURE was written in a way that may have caused confusion for IMAP clients and also Dovecot itself when parsing it. The truncated part is now written out using application/octet-stream MIME type. - lib-oauth2: HS512 and HS384 JWT token algorithms crash when you try to use them: Panic: file hmac.c: line 26 (hmac_init): assertion failed: (meth->context_size <= MAC_MAX_CONTEXT_SIZE). - event filters: NOT keyword did not have the correct associativity. NOT a AND b were getting parsed as NOT (a AND b) instead of (N...

.... - lib-mail: When max nested MIME parts were reached, IMAP BODYSTRUCTURE was written in a way that may have caused confusion for IMAP clients and also Dovecot itself when parsing it. The truncated part is now written out using application/octet-stream MIME type. - lib-oauth2: HS512 and HS384 JWT token algorithms crash when you try to use them: Panic: file hmac.c: line 26 (hmac_init): assertion failed: (meth->context_size <= MAC_MAX_CONTEXT_SIZE). - event filters: NOT keyword did not have the correct associativity. NOT a AND b were getting parsed as NOT (a AND b) instead of (N...

.... - lib-mail: When max nested MIME parts were reached, IMAP BODYSTRUCTURE was written in a way that may have caused confusion for IMAP clients and also Dovecot itself when parsing it. The truncated part is now written out using application/octet-stream MIME type. - lib-oauth2: HS512 and HS384 JWT token algorithms crash when you try to use them: Panic: file hmac.c: line 26 (hmac_init): assertion failed: (meth->context_size <= MAC_MAX_CONTEXT_SIZE). - event filters: NOT keyword did not have the correct associativity. NOT a AND b were getting parsed as NOT (a AND b) instead of (N...

...0417) to mount a share to a RH 7.1 box (kernel 2.4.4). There are various ways to specify the password for a user with partly different behavior when the password is a bit strange. If the password has a comma inside, the command smbmount //wserv/tester /mnt/test -o username=tester,password='bv,jwt' or smbmount //wserv/tester /mnt/test -o username=tester,password=bv\,jwt fails, while export PASSWD='bv,jwt' smbmount //wserv/tester /mnt/test -o username=tester succeeds. That password works well too, when it is specified in a credential file: printf "username = tester\npas...