[DSA 6019-1] dovecot security update
ELA-1534-1 freeipa security update
[SECURITY] [DSA 6019-1] dovecot security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-6019-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
October 05, 2025 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : dovecot
Debian Bug : 1115474 1115964
A flaw with the authentication cache management was discovered in the
Dovecot email server, which could result in users being logged in as the
wrong user in certain configurations.
For the stable distribution (trixie), this problem has been fixed in
version 1:2.4.1+dfsg1-6+deb13u1.
We recommend that you upgrade your dovecot packages.
For the detailed security status of dovecot please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/dovecot
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
ELA-1534-1 freeipa security update
Package : freeipa
Version : 4.7.2-3+deb10u2 (buster)
Related CVEs :
CVE-2019-10195
CVE-2019-14867
CVE-2023-5455
CVE-2024-3183
CVE-2024-11029
CVE-2025-4404
FreeIPA an integrated security information management solution designed for Linux and Unix environments was affected
by a multiple vulnerabilities.
CVE-2019-10195
FreeIPA's batch processing API logged operations, including user passwords in clear text on FreeIPA masters.
Batch processing of commands with passwords as arguments or options is not performed by default in FreeIPA
but is possible by third-party components. An attacker having access to system logs on FreeIPA masters
could use this flaw to produce log file content with passwords exposed.
CVE-2019-14867
A flaw was found in FreeIPA in the way the internal function ber_scanf() was used in some components,
which parsed kerberos key data. An unauthenticated attacker who could trigger parsing of the krb principal
key could cause the IPA server to crash or in some conditions, cause arbitrary code to be executed
on the server hosting the IPA server.
CVE-2024-3183
A flaw was found in FreeIPA in a way when a Kerberos TGS-REQ is encrypted using the client’s session key.
This key is different for each new session, which protects it from brute force attacks. However,
the ticket it contains is encrypted using the target principal key directly. For user principals,
this key is a hash of a public per-principal randomly-generated salt and the user’s password.
If a principal is compromised it means the attacker would be able to retrieve tickets encrypted
to any principal, all of them being encrypted by their own key directly.
By taking these tickets and salts offline, the attacker could run brute force attacks to
find character strings able to decrypt tickets when combined to a principal salt (i.e. find the principal’s password).
CVE-2024-11029
A flaw was found in the FreeIPA API audit, where it sends the whole FreeIPA command line to journalctl.
As a consequence, during the FreeIPA installation process, it inadvertently leaks the administrative
user credentials, including the administrator password, to the journal database. In the worst-case scenario,
where the journal log is centralized, users with access to it can have improper access to the FreeIPA administrator credentials.
CVE-2025-4404
A privilege escalation from host to domain vulnerability was found in the FreeIPA project.
The FreeIPA package fails to validate the uniqueness of the `krbCanonicalName` for the admin
account by default, allowing users to create services with the same canonical name as the REALM admin.
When a successful attack happens, the user can retrieve a Kerberos ticket in the name of this service,
containing the admin@REALM credential. This flaw allows an attacker to perform administrative tasks over
the REALM, leading to access to sensitive data and sensitive data exfiltration.ELA-1534-1 freeipa security update
