Linux Security
    Linux Security
    Linux Security

    ArchLinux: 202101-4: dovecot: multiple issues

    Date 04 Jan 2021
    472
    Posted By LinuxSecurity Advisories
    The package dovecot before version 2.3.13-1 is vulnerable to multiple issues including information disclosure and denial of service.
    Arch Linux Security Advisory ASA-202101-4
    =========================================
    
    Severity: High
    Date    : 2021-01-04
    CVE-ID  : CVE-2020-24386 CVE-2020-25275
    Package : dovecot
    Type    : multiple issues
    Remote  : Yes
    Link    : https://security.archlinux.org/AVG-1398
    
    Summary
    =======
    
    The package dovecot before version 2.3.13-1 is vulnerable to multiple
    issues including information disclosure and denial of service.
    
    Resolution
    ==========
    
    Upgrade to 2.3.13-1.
    
    # pacman -Syu "dovecot>=2.3.13-1"
    
    The problems have been fixed upstream in version 2.3.13.
    
    Workaround
    ==========
    
    Operators can choose to disable IMAP hibernation. IMAP hibernation is
    not on by default. To ensure imap hibernation is disabled, make sure
    imap_hibernate_timeout is set to 0 or unset.
    
    Description
    ===========
    
    - CVE-2020-24386 (information disclosure)
    
    A security issue was discovered in dovecot version 2.2.26 up to
    2.3.11.3. When imap hibernation is active, an attacker can cause
    dovecot to discover the file system directory structure and access
    other users' emails using a specially crafted command. The attacker
    must have valid credentials to access the mail server. The issue is
    fixed in dovecot version 2.3.13.
    
    - CVE-2020-25275 (denial of service)
    
    A security issue was discovered in dovecot version 2.3.11 up to
    2.3.11.3. Mail delivery/parsing crashed when the 10 000th MIME part was
    message/rfc822 (or if its parent was multipart/digest). This happened
    due to earlier MIME parsing changes for CVE-2020-12100. Malicious
    senders could crash dovecot repeatedly by sending/uploading messages
    with more than 10 000 MIME parts. The issue is fixed in dovecot version
    2.3.13.
    
    Impact
    ======
    
    Malicious senders could crash dovecot repeatedly by sending/uploading
    messages with more than 10 000 MIME parts.
    In addition, when imap hibernation is active, a remote, authenticated
    attacker can cause dovecot to discover the file system directory
    structure and access other users' emails using a specially crafted
    command.
    
    References
    ==========
    
    https://dovecot.org/pipermail/dovecot-news/2021-January/000450.html
    https://github.com/dovecot/core/commit/00df2308b0733e810824545183d73276c416cdd3
    https://github.com/dovecot/core/commit/b4a9872b833b7985c7d0e7615f1b7fc812dd4c55
    https://dovecot.org/pipermail/dovecot-news/2021-January/000451.html
    https://github.com/dovecot/core/commit/67f792cb98267ee74c425772e766e7a2525c0d8f
    https://github.com/dovecot/core/commit/6ae93c3936fc870c313a6fdf44a0999d4129d9b8
    https://security.archlinux.org/CVE-2020-24386
    https://security.archlinux.org/CVE-2020-25275
    
    

    Advisories

    LinuxSecurity Poll

    'Tis the season of giving! How have you given back to the open-source community?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/49-tis-the-season-of-giving-how-have-you-given-back-to-the-open-source-community?task=poll.vote&format=json
    49
    radio
    [{"id":"171","title":"I've contributed to the development of an open-source project.","votes":"11","type":"x","order":"1","pct":34.38,"resources":[]},{"id":"172","title":"I've reviewed open-source code for security bugs.","votes":"6","type":"x","order":"2","pct":18.75,"resources":[]},{"id":"173","title":"I've made a donation to an open-source project.","votes":"15","type":"x","order":"3","pct":46.88,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350

    Please vote first in order to view vote results.


    VIEW MORE POLLS

    bottom 200

    Please enable / Bitte aktiviere JavaScript!
    Veuillez activer / Por favor activa el Javascript![ ? ]

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.