Alerts This Week
Warning Icon 1 764
Alerts This Week
Warning Icon 1 764

Mageia 8: 2021-0557 Moderate: Dovecot Resource Risks and Fixes

mageia
Calendar Grey December 19, 2021
Dist Mageia Esm H88
Dovecot software has received updates addressing critical vulnerabilities, specifically targeting excessive resource utilization and potential command execution threats.
Updated dovecot packages fix security vulnerabilities: The Sieve engine in Dovecot before 2.3.15 allows Uncontrolled Resource Consumption, as demonstrated by a situation with a co...

Summary

Updated dovecot packages fix security vulnerabilities:
The Sieve engine in Dovecot before 2.3.15 allows Uncontrolled Resource Consumption, as demonstrated by a situation with a complex regular expression for the regex extension (CVE-2020-28200).
Dovecot before 2.3.15 allows ../ Path Traversal. An attacker with access to the local filesystem can trick OAuth2 authentication into using an HS256 validation key from an attacker-controlled location. This occurs during use of local JWT validation with the posix fs driver (CVE-2021-29157).
The submission service in Dovecot before 2.3.15 allows STARTTLS command injection in lib-smtp. Sensitive information can be redirected to an attacker-controlled address (CVE-2021-33515).

References

- https://bugs.mageia.org/show_bug.cgi?id=29160

- https://dovecot.org/pipermail/dovecot-news/2021-June/000460.html

- https://dovecot.org/pipermail/dovecot-news/2021-June/000461.html

- https://dovecot.org/pipermail/dovecot-news/2021-June/000462.html

- https://dovecot.org/pipermail/dovecot-news/2021-June/000459.html

- https://dovecot.org/pipermail/dovecot-news/2021-June/000457.html

- https://dovecot.org/pipermail/dovecot-news/2021-October/000465.html

- https://dovecot.org/pipermail/dovecot-news/2021-December/000468.html

- https://www.cve.org/CVERecord?id=CVE-2020-28200

- https://www.cve.org/CVERecord?id=CVE-2021-29157

- https://www.cve.org/CVERecord?id=CVE-2021-33515

Topics%20covered

Topics Covered

security advisory update command injection Dovecot path traversal resource consumption Mageia

Resolution

SRPMS

- 8/core/dovecot-2.3.17.1-1.1.mga8

Publication date: 19 Dec 2021
URL: https://advisories.mageia.org/MGASA-2021-0557.html
Type: security
CVE: CVE-2020-28200, CVE-2021-29157, CVE-2021-33515

Topics%20covered

Topics Covered

security advisory update command injection Dovecot path traversal resource consumption Mageia

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here