[Buildroot] CVE-2022-30550 version range fix

From: Thomas Petazzoni via buildroot <buildroot@buildroot.org>
To: nvd <nvd@nist.gov>
Cc: "buildroot@buildroot.org" <buildroot@buildroot.org>
Subject: [Buildroot] CVE-2022-30550 version range fix
Date: Sat, 17 May 2025 18:18:15 +0200	[thread overview]
Message-ID: <20250517181815.02ce0393@windsurf> (raw)

Hello,

CVE-2022-30550 is documented in your database as affecting versions of
dovecot up to 2.3.20.

However, according to
https://dovecot.org/pipermail/dovecot-news/2022-July/000477.html, the
fix for this issue is:

  https://github.com/dovecot/core/compare/7bad6a24%5E..a1022072.patch

And this commit is only in Dovecot 2.4.0, which means that versions
2.3.21, 2.3.21.1 are affected.

Here is some additional evidence based on the Git repository of Dovecot:

$ git log --format=oneline 2.3.21  | grep "auth: Fix handling passdbs with identical driver/args but"
$

So 2.3.21 doesn't have the fix.

$ git log --format=oneline 2.3.21.1  | grep "auth: Fix handling passdbs with identical driver/args but"
$

So 2.3.21.1 doesn't have the fix.

$ git log --format=oneline 2.4.0  | grep "auth: Fix handling passdbs with identical driver/args but"
7bad6a24160e34bce8f10e73dbbf9e5fbbcd1904 auth: Fix handling passdbs with identical driver/args but different mechanisms/username_filter

Which means that 2.4.0 has the fix.

Therefore, your entry for CVE-2022-30550 should be fixed to indicate
that versions up to (excluding) 2.4.0 are affected.

Thanks for your great work on maintaining this database! It would be
create to have a public issue tracker to report issues.

Thomas
-- 
Thomas Petazzoni, co-owner and CEO, Bootlin
Embedded Linux and Kernel engineering and training
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot