On Thu, Apr 25, 2024 at 06:10:54PM +0200, Jonas Schäfer wrote: > Hello list, > > Managesieve is a protocol to configure the email filtering system Sieve via > TCP/IP. It is typically authenticated just like IMAP is. The managesieve > client implementation in KDE (libksieve) had a bug which used the password as > username. > > That exposed the password in plaintext server logs, as usernames are commonly > logged on failed login attempts. > > This bug has existed for several years and made it into multiple Debian > releases. It has only recently been fixed upstream [1] and even more recently > been fixed in Debian [2] (stable package updates still pending). As this bug > has been documented in the internet at various places [3] [4] but I haven't > seen any mention of it here yet, I thought sharing it here made sense. > > As far as I know, no CVE has been allocated for this.
FTR, https://www.cve.org/CVERecord?id=CVE-2023-52723 was assigned for this issue. Regards, Salvatore
