Advisories for Golang/Github.com/Foxcpp/Maddy package

2023

Authentication Bypass by Primary Weakness

maddy is a composable, all-in-one mail server. Starting with version 0.2.0 and prior to version 0.6.3, maddy allows a full authentication bypass if SASL authorization username is specified when using the PLAIN authentication mechanisms. Instead of validating the specified username, it is accepted as is after checking the credentials for the authentication username. maddy 0.6.3 includes the fix for the bug. There are no known workarounds.

2022
2021

S3 storage write is not aborted on errors leading to unbounded memory usage

Impact Anyone using storage.blob.s3 introduced in 0.5.0 with storage.imapsql. storage.imapsql local_mailboxes { … msg_store s3 { … } } Patches The relevant commit is pushed to master and will be included in the 0.5.1 release. No special handling of the issue has been done due to the small amount of affected users. Workarounds None. References Original report: https://github.com/foxcpp/maddy/issues/395 Fix: https://github.com/foxcpp/maddy/commit/07c8495ee4394fabbf5aac4df8aebeafb2fb29d8