MGASA-2021-0008 - Updated dovecot packages fix security vulnerabilities

Publication date: 08 Jan 2021
URL: https://advisories.mageia.org/MGASA-2021-0008.html
Type: security
Affected Mageia releases: 7
CVE: CVE-2020-24386,
     CVE-2020-25275

It was discovered that Dovecot incorrectly handled certain imap hibernation
commands. A remote authenticated attacker could possibly use this issue to
access other users’ email (CVE-2020-24386).

Innokentii Sennovskiy discovered that Dovecot incorrectly handled MIME
parsing. A remote attacker could possibly use this issue to cause Dovecot
to crash, resulting in a denial of service (CVE-2020-25275).

The dovecot package has been updated to version 2.3.13, fixing these issues
and other bugs. See the upstream release announcement for details.

References:
- https://bugs.mageia.org/show_bug.cgi?id=28012
- https://dovecot.org/pipermail/dovecot-news/2021-January/000450.html
- https://dovecot.org/pipermail/dovecot-news/2021-January/000451.html
- https://dovecot.org/pipermail/dovecot-news/2021-January/000448.html
- https://ubuntu.com/security/notices/USN-4674-1
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24386
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25275

SRPMS:
- 7/core/dovecot-2.3.13-1.mga7