- Plesk Onyx for Linux
In Dovecot, suitable client certificate can be used to login as other user. It is know as the Vulnerability CVE-2019-3814.
Dovecot team has released a new version with security fix for Vulnerability CVE-2019-3814 on February 5, 2019.
Vulnerable versions of Dovecot: 1.1.0 - 2.2.36 and 2.3.0 - 2.3.4
The default Plesk installation is not affected by the vulnerability.
However, if the
Client certificate verification/authentication option was enabled, Dovecot becomes vulnerable.
Call to Action
If default Plesk configuration was not modified, then no actions are required.
Client certificate verification/authentication option was enabled, disable it and do not modify it until the new Dovecot version is installed. To check whether this option is enabled, search the following lines in the Dovecot configuration:
# grep "auth_ssl" -iR /etc/dovecot/*
auth_ssl_require_client_cert = yes
auth_ssl_username_from_cert = yes
The new version of Dovecot will be included in Plesk in one of the next micro updates for supported versions of Plesk, keep Plesk up-to-date.