Fedora 31: dovecot FEDORA-2020-b60344c987

Date 27 May 2020

Category Fedora Linux Distribution - Security Advisories

393

Posted By LinuxSecurity Advisories

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2020-b60344c987
2020-05-28 01:59:14.571867
--------------------------------------------------------------------------------

Name : dovecot
Product : Fedora 31
Version : 2.3.10.1
Release : 1.fc31
URL : https://www.dovecot.org/
Summary : Secure imap and pop3 server
Description :
Dovecot is an IMAP server for Linux/UNIX-like systems, written with security
primarily in mind. It also contains a small POP3 server. It supports mail
in either of maildir or mbox formats.

The SQL drivers and authentication plug-ins are in their subpackages.

--------------------------------------------------------------------------------
Update Information:

- CVE-2020-10957: lmtp/submission: A client can crash the server by sending a
NOOP command with an invalid string parameter. This occurs particularly for a
parameter that doesn't start with a double quote. This applies to all SMTP
services, including submission-login, which makes it possible to crash the
submission service without authentication. - CVE-2020-10958: lmtp/submission:
Sending many invalid or unknown commands can cause the server to access freed
memory, which can lead to a server crash. This happens when the server closes
the connection with a "421 Too many invalid commands" error. The bad command
limit depends on the service (lmtp or submission) and varies between 10 to
20 bad commands. - CVE-2020-10967: lmtp/submission: Issuing the RCPT command
with an address that has the empty quoted string as local-part causes the
lmtp service to crash.
--------------------------------------------------------------------------------
ChangeLog:

* Mon May 18 2020 Michal Hlavinka - 1:2.3.10.1-1
- dovecot updated to 2.3.10.1
- fixes CVE-2020-10967, CVE-2020-10958, CVE-2020-10957
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #1834317 - CVE-2020-10957 dovecot: malformed NOOP commands leads to DoS
https://bugzilla.redhat.com/show_bug.cgi?id=1834317
[ 2 ] Bug #1834323 - CVE-2020-10958 dovecot: command followed by sufficient number of newlines leads to use-after-free
https://bugzilla.redhat.com/show_bug.cgi?id=1834323
[ 3 ] Bug #1834326 - CVE-2020-10967 dovecot: sending mail with empty quoted localpart leads to DoS
https://bugzilla.redhat.com/show_bug.cgi?id=1834326
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2020-b60344c987' at the command
line. For more information, refer to the dnf documentation available at
https://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
_______________________________________________
package-announce mailing list -- This email address is being protected from spambots. You need JavaScript enabled to view it.
To unsubscribe send an email to This email address is being protected from spambots. You need JavaScript enabled to view it.
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/This email address is being protected from spambots. You need JavaScript enabled to view it.