Fedora 31: dovecot FEDORA-2020-b60344c987
Fedora 31: dovecot FEDORA-2020-b60344c987
- CVE-2020-10957: lmtp/submission: A client can crash the server by sending a NOOP command with an invalid string parameter. This occurs particularly for a parameter that doesn't start with a double quote. This applies to all SMTP services, including submission-login, which makes it possible to crash the submission service without authentication. - CVE-2020-10958: lmtp/submission:
-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2020-b60344c987 2020-05-28 01:59:14.571867 -------------------------------------------------------------------------------- Name : dovecot Product : Fedora 31 Version : 2.3.10.1 Release : 1.fc31 URL : https://www.dovecot.org/ Summary : Secure imap and pop3 server Description : Dovecot is an IMAP server for Linux/UNIX-like systems, written with security primarily in mind. It also contains a small POP3 server. It supports mail in either of maildir or mbox formats. The SQL drivers and authentication plug-ins are in their subpackages. -------------------------------------------------------------------------------- Update Information: - CVE-2020-10957: lmtp/submission: A client can crash the server by sending a NOOP command with an invalid string parameter. This occurs particularly for a parameter that doesn't start with a double quote. This applies to all SMTP services, including submission-login, which makes it possible to crash the submission service without authentication. - CVE-2020-10958: lmtp/submission: Sending many invalid or unknown commands can cause the server to access freed memory, which can lead to a server crash. This happens when the server closes the connection with a "421 Too many invalid commands" error. The bad command limit depends on the service (lmtp or submission) and varies between 10 to 20 bad commands. - CVE-2020-10967: lmtp/submission: Issuing the RCPT command with an address that has the empty quoted string as local-part causes the lmtp service to crash. -------------------------------------------------------------------------------- ChangeLog: * Mon May 18 2020 Michal Hlavinka- 1:2.3.10.1-1 - dovecot updated to 2.3.10.1 - fixes CVE-2020-10967, CVE-2020-10958, CVE-2020-10957 -------------------------------------------------------------------------------- References: [ 1 ] Bug #1834317 - CVE-2020-10957 dovecot: malformed NOOP commands leads to DoS https://bugzilla.redhat.com/show_bug.cgi?id=1834317 [ 2 ] Bug #1834323 - CVE-2020-10958 dovecot: command followed by sufficient number of newlines leads to use-after-free https://bugzilla.redhat.com/show_bug.cgi?id=1834323 [ 3 ] Bug #1834326 - CVE-2020-10967 dovecot: sending mail with empty quoted localpart leads to DoS https://bugzilla.redhat.com/show_bug.cgi?id=1834326 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2020-b60344c987' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- _______________________________________________ package-announce mailing list -- This email address is being protected from spambots. You need JavaScript enabled to view it. To unsubscribe send an email to This email address is being protected from spambots. You need JavaScript enabled to view it. Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/This email address is being protected from spambots. You need JavaScript enabled to view it.