What Are You Looking For?

Sign Up
--------------------------------------------------------------------------------Fedora Update Notification
FEDORA-2020-b60344c987
2020-05-28 01:59:14.571867
--------------------------------------------------------------------------------Name        : dovecot
Product     : Fedora 31
Version     : 2.3.10.1
Release     : 1.fc31
URL         : http://www.dovecot.org/
Summary     : Secure imap and pop3 server
Description :
Dovecot is an IMAP server for Linux/UNIX-like systems, written with security
primarily in mind.  It also contains a small POP3 server.  It supports mail
in either of maildir or mbox formats.

The SQL drivers and authentication plug-ins are in their subpackages.

--------------------------------------------------------------------------------Update Information:

- CVE-2020-10957: lmtp/submission: A client can crash the server by   sending a
NOOP command with an invalid string parameter. This occurs   particularly for a
parameter that doesn't start with a double quote.   This applies to all SMTP
services, including submission-login, which   makes it possible to crash the
submission service without   authentication. - CVE-2020-10958: lmtp/submission:
Sending many invalid or unknown   commands can cause the server to access freed
memory, which can lead   to a server crash. This happens when the server closes
the connection   with a "421 Too many invalid commands" error. The bad command
limit   depends on the service (lmtp or submission) and varies between 10 to
20 bad commands. - CVE-2020-10967: lmtp/submission: Issuing the RCPT command
with an   address that has the empty quoted string as local-part causes the
lmtp service to crash.
--------------------------------------------------------------------------------ChangeLog:

* Mon May 18 2020 Michal Hlavinka  - 1:2.3.10.1-1
- dovecot updated to 2.3.10.1
- fixes CVE-2020-10967, CVE-2020-10958, CVE-2020-10957
--------------------------------------------------------------------------------References:

  [ 1 ] Bug #1834317 - CVE-2020-10957 dovecot: malformed NOOP commands leads to DoS
        https://bugzilla.redhat.com/show_bug.cgi?id=1834317
  [ 2 ] Bug #1834323 - CVE-2020-10958 dovecot: command followed by sufficient number of newlines leads to use-after-free
        https://bugzilla.redhat.com/show_bug.cgi?id=1834323
  [ 3 ] Bug #1834326 - CVE-2020-10967 dovecot: sending mail with empty quoted localpart leads to DoS
        https://bugzilla.redhat.com/show_bug.cgi?id=1834326
--------------------------------------------------------------------------------This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2020-b60344c987' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------_______________________________________________
package-announce mailing list -- package-announce@lists.fedoraproject.org
To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org

Fedora 31: dovecot FEDORA-2020-b60344c987

May 27, 2020
- CVE-2020-10957: lmtp/submission: A client can crash the server by sending a NOOP command with an invalid string parameter

Summary

Dovecot is an IMAP server for Linux/UNIX-like systems, written with security

primarily in mind. It also contains a small POP3 server. It supports mail

in either of maildir or mbox formats.

The SQL drivers and authentication plug-ins are in their subpackages.

- CVE-2020-10957: lmtp/submission: A client can crash the server by sending a

NOOP command with an invalid string parameter. This occurs particularly for a

parameter that doesn't start with a double quote. This applies to all SMTP

services, including submission-login, which makes it possible to crash the

submission service without authentication. - CVE-2020-10958: lmtp/submission:

Sending many invalid or unknown commands can cause the server to access freed

memory, which can lead to a server crash. This happens when the server closes

the connection with a "421 Too many invalid commands" error. The bad command

limit depends on the service (lmtp or submission) and varies between 10 to

20 bad commands. - CVE-2020-10967: lmtp/submission: Issuing the RCPT command

with an address that has the empty quoted string as local-part causes the

lmtp service to crash.

* Mon May 18 2020 Michal Hlavinka - 1:2.3.10.1-1

- dovecot updated to 2.3.10.1

- fixes CVE-2020-10967, CVE-2020-10958, CVE-2020-10957

[ 1 ] Bug #1834317 - CVE-2020-10957 dovecot: malformed NOOP commands leads to DoS

https://bugzilla.redhat.com/show_bug.cgi?id=1834317

[ 2 ] Bug #1834323 - CVE-2020-10958 dovecot: command followed by sufficient number of newlines leads to use-after-free

https://bugzilla.redhat.com/show_bug.cgi?id=1834323

[ 3 ] Bug #1834326 - CVE-2020-10967 dovecot: sending mail with empty quoted localpart leads to DoS

https://bugzilla.redhat.com/show_bug.cgi?id=1834326

su -c 'dnf upgrade --advisory FEDORA-2020-b60344c987' at the command

line. For more information, refer to the dnf documentation available at

http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the

GPG keys used by the Fedora Project can be found at

https://fedoraproject.org/keys

package-announce mailing list -- package-announce@lists.fedoraproject.org

To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org

Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/

List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines

List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org

FEDORA-2020-b60344c987 2020-05-28 01:59:14.571867 Product : Fedora 31 Version : 2.3.10.1 Release : 1.fc31 URL : http://www.dovecot.org/ Summary : Secure imap and pop3 server Description : Dovecot is an IMAP server for Linux/UNIX-like systems, written with security primarily in mind. It also contains a small POP3 server. It supports mail in either of maildir or mbox formats. The SQL drivers and authentication plug-ins are in their subpackages. - CVE-2020-10957: lmtp/submission: A client can crash the server by sending a NOOP command with an invalid string parameter. This occurs particularly for a parameter that doesn't start with a double quote. This applies to all SMTP services, including submission-login, which makes it possible to crash the submission service without authentication. - CVE-2020-10958: lmtp/submission: Sending many invalid or unknown commands can cause the server to access freed memory, which can lead to a server crash. This happens when the server closes the connection with a "421 Too many invalid commands" error. The bad command limit depends on the service (lmtp or submission) and varies between 10 to 20 bad commands. - CVE-2020-10967: lmtp/submission: Issuing the RCPT command with an address that has the empty quoted string as local-part causes the lmtp service to crash. * Mon May 18 2020 Michal Hlavinka - 1:2.3.10.1-1 - dovecot updated to 2.3.10.1 - fixes CVE-2020-10967, CVE-2020-10958, CVE-2020-10957 [ 1 ] Bug #1834317 - CVE-2020-10957 dovecot: malformed NOOP commands leads to DoS https://bugzilla.redhat.com/show_bug.cgi?id=1834317 [ 2 ] Bug #1834323 - CVE-2020-10958 dovecot: command followed by sufficient number of newlines leads to use-after-free https://bugzilla.redhat.com/show_bug.cgi?id=1834323 [ 3 ] Bug #1834326 - CVE-2020-10967 dovecot: sending mail with empty quoted localpart leads to DoS https://bugzilla.redhat.com/show_bug.cgi?id=1834326 su -c 'dnf upgrade --advisory FEDORA-2020-b60344c987' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys package-announce mailing list -- package-announce@lists.fedoraproject.org To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org

Change Log

References

Update Instructions

Severity
Product : Fedora 31
Version : 2.3.10.1
Release : 1.fc31
URL : http://www.dovecot.org/
Summary : Secure imap and pop3 server

Related News

Krasue RAT Malware Hides on Linux Servers Using Embedded Rootkits

Dec 7, 2023

Ubuntu Server Security Best Practices

Oct 15, 2023

Harden Ubuntu Server to Secure Your Container and Other Deployments

Sep 17, 2023

Widespread Xorg DoS, Privilege Escalation Vulns Fixed

Nov 13, 2023

News

Advisories

HOWTOs

Features

Password Guessing as an Attack Vector
Using Open Source to Ensure Compliance & Data Integrity through Data Governance
Critical Linux Kernel Bugs Lead to DoS, Privilege Escalation - Patch Now!
Unlocking the Future of Authentication: Passkeys vs. Passwords
Empowering MSPs with Straightforward Linux Device Management

About Us

Powered By

Footer Logo