Displaying 20 results from an estimated 21 matches for "jwt".
Did you mean:
jit
2021 Jun 21
0
CVE-2021-29157: oauth2 JWT local validation path traversal
...fication: 2021-03-22
Solution date: 2021-04-14
Public disclosure: 2021-06-21
CVE reference: CVE-2021-29157
CVSS: 6.7 (CVSS3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)
Researcher credit: Kirin of Tencent Security Xuanwu Lab
Vulnerability Details:
Dovecot does not correctly escape kid and azp fields in JWT tokens. This may be used to supply attacker controlled keys to validate tokens in some configurations. This requires attacker to be able to write files to local disk.
Risk:
Local attacker can login as any user and access their emails.
Workaround:
Disable local JWT validation in oauth2, or use a...
2021 Jun 21
0
CVE-2021-29157: oauth2 JWT local validation path traversal
...fication: 2021-03-22
Solution date: 2021-04-14
Public disclosure: 2021-06-21
CVE reference: CVE-2021-29157
CVSS: 6.7 (CVSS3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)
Researcher credit: Kirin of Tencent Security Xuanwu Lab
Vulnerability Details:
Dovecot does not correctly escape kid and azp fields in JWT tokens. This may be used to supply attacker controlled keys to validate tokens in some configurations. This requires attacker to be able to write files to local disk.
Risk:
Local attacker can login as any user and access their emails.
Workaround:
Disable local JWT validation in oauth2, or use a...
2023 Mar 01
0
OAuth2: local validation with RFC9068 tokens
Hello,
my IdP is kind of progressive and implemented RFC9068, where all access tokens now come with typ "at+JWT".
Since the setup has used local validation, I had to switch and currently use introspection endpoint. Looked around at the src and there seems to be relatively simple check of the token typ checking the only fixed value of "JWT" -- do you think you could consider tuning it a little...
2023 Mar 20
1
Dovecot unified event filtering
...");
```
I then use passthrough events like the following:
```
e_debug(event_create_passthrough(data->event)->event(), "Modified mailbox_list_iter_init was called.");
e_warning(event_create_passthrough(event)->event(), "Did not find required key 'roles' in the JWT body.");
```
`e_warning` and `e_error` work fine.
If I understand the documentation for the unified event filtering (https://doc.dovecot.org/configuration_manual/event_filter/#unified-filter-language) correctly, I should be able to enable debug logging for with `log_debug = event="oidc_s...
2009 Jul 12
2
box and whisker (PR#13821)
In a Box and Whisker plot, I thought that when there are outliers both abov=
e and below the whiskers, then the whiskers should both be the same length =
(plus or minus 1.5 times the inter-quartile range).
If you look at the plot for SilwoodWeather on p.155 of The R Book you will =
see that for November (month =3D 11) the upper whisker is shorter than the =
lower, while for other months with
2020 Aug 12
0
Dovecot v2.3.11.3 released
...uot;
* *-login: Changed logging done by proxying to use a consistent prefix
? containing the IP address and port.
* *-login: Changed disconnection log messages to be slightly clearer.
+ dict: Add events for dictionaries.
+ lib-index: Finish logging with events.
+ oauth2: Support local validation of JWT tokens.
+ stats: Add support for dynamic histograms and grouping. See
? https://doc.dovecot.org/configuration_manual/stats/.
+ imap: Implement RFC 8514: IMAP SAVEDATE
+ lib-index: If a long-running transaction (e.g. SORT/FETCH on a huge
? folder) adds a lot of data to dovecot.index.cache file, comm...
2020 Aug 12
0
Dovecot v2.3.11.3 released
...uot;
* *-login: Changed logging done by proxying to use a consistent prefix
? containing the IP address and port.
* *-login: Changed disconnection log messages to be slightly clearer.
+ dict: Add events for dictionaries.
+ lib-index: Finish logging with events.
+ oauth2: Support local validation of JWT tokens.
+ stats: Add support for dynamic histograms and grouping. See
? https://doc.dovecot.org/configuration_manual/stats/.
+ imap: Implement RFC 8514: IMAP SAVEDATE
+ lib-index: If a long-running transaction (e.g. SORT/FETCH on a huge
? folder) adds a lot of data to dovecot.index.cache file, comm...
2024 Oct 12
0
Expiring Soon : Your Medicare Kit Reward
...IjoiMTAyOTE0IiwiaXNzdWUiOiJOT0wtMTExNDQxIn0sImV4cCI6MTczMTA5NjgwNSwiaWF0IjoxNzI4Njc3NjA1fQ.bwfi354pPF4Syv8Q0Vqk2ImVa9OBv4-2JGU6Om7A24I&sda_source=notification-email
Turn off this request's notifications: https://sarahutyug.atlassian.net/servicedesk/customer/portal/77/NOL-111441/unsubscribe?jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ0Z3QiOiJhbm9ueW1vdXMtbGluayIsInFzaCI6ImU3ZmU0OGY3ZmY2YzFkYjNiMzk0N2QwMmFlMDBmMjI1OTlkYWFlMmZiZmE1ZDZiZGRjZjQxY2JjOTliZjNjMTIiLCJpc3MiOiJzZXJ2aWNlZGVzay1qd3QtdG9rZW4taXNzdWVyIiwiY29udGV4dCI6eyJ1c2VyIjoicW06ODY3M2NjMjAtZTQ1Ni00NmRiLTljOWMtYjI5Mzc4ZTVjMDI3OmRiMD...
2024 Oct 12
0
Important Alert: Your iCloud Storage is Full - Get 50GB Free!
...IjoiMTAyOTE0IiwiaXNzdWUiOiJOT0wtMTExNDQxIn0sImV4cCI6MTczMTA5NjgwNSwiaWF0IjoxNzI4Njc3NjA1fQ.bwfi354pPF4Syv8Q0Vqk2ImVa9OBv4-2JGU6Om7A24I&sda_source=notification-email
Turn off this request's notifications: https://sarahutyug.atlassian.net/servicedesk/customer/portal/77/NOL-111441/unsubscribe?jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ0Z3QiOiJhbm9ueW1vdXMtbGluayIsInFzaCI6ImU3ZmU0OGY3ZmY2YzFkYjNiMzk0N2QwMmFlMDBmMjI1OTlkYWFlMmZiZmE1ZDZiZGRjZjQxY2JjOTliZjNjMTIiLCJpc3MiOiJzZXJ2aWNlZGVzay1qd3QtdG9rZW4taXNzdWVyIiwiY29udGV4dCI6eyJ1c2VyIjoicW06ODY3M2NjMjAtZTQ1Ni00NmRiLTljOWMtYjI5Mzc4ZTVjMDI3OmRiMD...
2006 Sep 06
1
Server closing all the ports after inactivity Could not connect to webserver
...or the sake of giving users the freedom to cooperate in
a community. And if users don't know this, they will be in danger of losing
their freedom.
--Richard Stallman
Public Key
-------xxxxx cut here xxx--------
AAAAB3NzaC1kc3MAAACBAOJrx7vi+A+tR0pz/nwP8StnPJUOLmwXnxpvb0ty4qyiTzIY3wBmAr37OIccs0+JWT+mXi4mnaFCqoh7YRuhaBhIZ9lqxXGb1r8QnAiEDlrOtjVZTebyrP48awYilSE990/9Mt2ndflcWKoY0Jw1QcsZBCxctOj9sMIFr295xCcLAAAAFQDueRoBYb9ieF7KwvhZ9SlA92BFcQAAAIAY4QidL/eu15JaVWwNrs6Xys8+t2+1h331+G88guxl2q6AMCqgtuZMGomLNVIDN6plZPfxRB6UZYN8q+i03hFErCtX8sk9xO+g5RV8BrC0n87RohNVxm/++fblJ7sNxGYW/eIIm/AduLBhIPe11GDVFA5Km+...
2005 Jun 07
1
map-login: Login failed: Plaintext
Hi
I'm running Dovecot 1.0 stable and getting error like this:
dovecot: Jun 07 11:51:00 Info: Dovecot v1.0-stable starting up dovecot: Jun 07 11:51:01 Info: auth(default): mysql: Connected to postfix Dovecot: Jun 07 11:47:34 Info: imap-login: Login failed: Plaintext
authentication disabled [85.76.231.143]
dovecot.conf Authentication processes section looks like:
auth default {
mechanisms
2005 Oct 04
2
partial sync?
I just installed the latest alpha on Debian Sarge and am getting a lot
of this sort of error:
Oct 4 16:18:58 tarsier dovecot: imap-login: Disconnected: rip=70.209.254.178, lip=192.168.50.105, TLS
Oct 4 16:19:04 tarsier dovecot: imap(jeff): mbox sync: UID inserted in the middle of mailbox /home/jeff/mail/Junk (329 > 274, seq=2, idx_msgs=55)
Oct 4 16:19:07 tarsier dovecot: imap(jeff): mbox
2021 Jun 21
2
Dovecot v2.3.14.1 released
...3/dovecot-2.3.14.1.tar.gz.sig>
Binary packages in https://repo.dovecot.org/ <https://repo.dovecot.org/>
Docker images in https://hub.docker.com/r/dovecot/dovecot <https://hub.docker.com/r/dovecot/dovecot>
* CVE-2021-29157: Dovecot does not correctly escape kid and azp fields in
JWT tokens. This may be used to supply attacker controlled keys to
validate tokens, if attacker has local access.
* CVE-2021-33515: On-path attacker could have injected plaintext commands
before STARTTLS negotiation that would be executed after STARTTLS
finished with the client.
- lib-index:...
2021 Jun 21
2
Dovecot v2.3.14.1 released
...3/dovecot-2.3.14.1.tar.gz.sig>
Binary packages in https://repo.dovecot.org/ <https://repo.dovecot.org/>
Docker images in https://hub.docker.com/r/dovecot/dovecot <https://hub.docker.com/r/dovecot/dovecot>
* CVE-2021-29157: Dovecot does not correctly escape kid and azp fields in
JWT tokens. This may be used to supply attacker controlled keys to
validate tokens, if attacker has local access.
* CVE-2021-33515: On-path attacker could have injected plaintext commands
before STARTTLS negotiation that would be executed after STARTTLS
finished with the client.
- lib-index:...
2005 Jul 07
1
stat() failed with mbox /var/mail/%u
Hello,
Over the last 12 hours or so, I've been wrestling with a mysterious
dovecot issue. After upgrading a mail server I'm helping my friend with
maintaining from Fedora Core1 to Fedora Core4, I realized that I
couldn't use UW-IMAP4 anymore (well, I can compile it myself, but it
turned out that UW-IMAP was the main cause of the server's having load
average as high as 30 from
2023 Mar 07
1
Feature request: a good way to supply short-lived certificates to openssh
On Tue, Mar 7, 2023, at 3:25 AM, Rory Campbell-Lange wrote:
> On 07/03/23, Darren Tucker (dtucker at dtucker.net) wrote:
>> On Tue, 7 Mar 2023 at 05:26, Andy Lutomirski <luto at kernel.org> wrote:
>> [...]
>> > ssh_config contains a Match ... exec [command to refresh the certificate].
>> > This sort of works, except that it runs the command far too
2021 Mar 04
2
Dovecot v2.3.14 released
....
- lib-mail: When max nested MIME parts were reached, IMAP BODYSTRUCTURE
was written in a way that may have caused confusion for IMAP clients
and also Dovecot itself when parsing it. The truncated part is now
written out using application/octet-stream MIME type.
- lib-oauth2: HS512 and HS384 JWT token algorithms crash when you try to
use them: Panic: file hmac.c: line 26 (hmac_init): assertion failed:
(meth->context_size <= MAC_MAX_CONTEXT_SIZE).
- event filters: NOT keyword did not have the correct associativity.
NOT a AND b were getting parsed as NOT (a AND b) instead of
(N...
2021 Mar 04
2
Dovecot v2.3.14 released
....
- lib-mail: When max nested MIME parts were reached, IMAP BODYSTRUCTURE
was written in a way that may have caused confusion for IMAP clients
and also Dovecot itself when parsing it. The truncated part is now
written out using application/octet-stream MIME type.
- lib-oauth2: HS512 and HS384 JWT token algorithms crash when you try to
use them: Panic: file hmac.c: line 26 (hmac_init): assertion failed:
(meth->context_size <= MAC_MAX_CONTEXT_SIZE).
- event filters: NOT keyword did not have the correct associativity.
NOT a AND b were getting parsed as NOT (a AND b) instead of
(N...
2021 Feb 17
1
Dovecot v2.3.14.rc1 released
....
- lib-mail: When max nested MIME parts were reached, IMAP BODYSTRUCTURE
was written in a way that may have caused confusion for IMAP clients
and also Dovecot itself when parsing it. The truncated part is now
written out using application/octet-stream MIME type.
- lib-oauth2: HS512 and HS384 JWT token algorithms crash when you try to
use them: Panic: file hmac.c: line 26 (hmac_init): assertion failed:
(meth->context_size <= MAC_MAX_CONTEXT_SIZE).
- event filters: NOT keyword did not have the correct associativity.
NOT a AND b were getting parsed as NOT (a AND b) instead of
(N...
2021 Feb 17
1
Dovecot v2.3.14.rc1 released
....
- lib-mail: When max nested MIME parts were reached, IMAP BODYSTRUCTURE
was written in a way that may have caused confusion for IMAP clients
and also Dovecot itself when parsing it. The truncated part is now
written out using application/octet-stream MIME type.
- lib-oauth2: HS512 and HS384 JWT token algorithms crash when you try to
use them: Panic: file hmac.c: line 26 (hmac_init): assertion failed:
(meth->context_size <= MAC_MAX_CONTEXT_SIZE).
- event filters: NOT keyword did not have the correct associativity.
NOT a AND b were getting parsed as NOT (a AND b) instead of
(N...