Alerts This Week
Warning Icon 1 692
Alerts This Week
Warning Icon 1 692

openSUSE: 2021:1225-1 Moderate: Dovecot23 DoS Mitigation

opensuse
Calendar Grey September 3, 2021
Dist Opensuse Esm H88
The latest security patch for openSUSE mitigates various weaknesses found in dovecot23, covering threats related to local exploitation and potential denial of service scenarios.
An update that solves two vulnerabilities, contains one feature and has one errata is now available

Description

This update for dovecot23 fixes the following issues:

Update dovecot to version 2.3.15 (jsc#SLE-19970):

Security issues fixed:

- CVE-2021-29157: Dovecot does not correctly escape kid and azp fields in

JWT tokens. This may be used to supply attacker controlled keys to

validate tokens, if attacker has local access. (bsc#1187418) Local

attacker can login as any user and access their emails

- CVE-2021-33515: On-path attacker could have injected plaintext commands

before STARTTLS negotiation that would be executed after STARTTLS

finished with the client. (bsc#1187419) Attacker can potentially steal

user credentials and mails

* Disconnection log messages are now more standardized across services.

They also always now start with "Disconnected" prefix.

* Dovecot now depends on libsystemd for systemd integration.

* Removed support for Lua 5.2. Use version 5.1 or 5.3 instead.

* config: Some settings are now marked as "hidden"....

Read the Full Advisory

Topics%20covered

Topics Covered

security advisory DoS patch attack risks openSUSE Dovecot23 mail services

Patch

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods

like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.2:

zypper in -t patch openSUSE-2021-1225=1

Package List

- openSUSE Leap 15.2 (x86_64):

dovecot23-2.3.15-lp152.2.12.1

dovecot23-backend-mysql-2.3.15-lp152.2.12.1

dovecot23-backend-mysql-debuginfo-2.3.15-lp152.2.12.1

dovecot23-backend-pgsql-2.3.15-lp152.2.12.1

dovecot23-backend-pgsql-debuginfo-2.3.15-lp152.2.12.1

dovecot23-backend-sqlite-2.3.15-lp152.2.12.1

dovecot23-backend-sqlite-debuginfo-2.3.15-lp152.2.12.1

dovecot23-debuginfo-2.3.15-lp152.2.12.1

dovecot23-debugsource-2.3.15-lp152.2.12.1

dovecot23-devel-2.3.15-lp152.2.12.1

dovecot23-fts-2.3.15-lp152.2.12.1

dovecot23-fts-debuginfo-2.3.15-lp152.2.12.1

dovecot23-fts-lucene-2.3.15-lp152.2.12.1

dovecot23-fts-lucene-debuginfo-2.3.15-lp152.2.12.1

dovecot23-fts-solr-2.3.15-lp152.2.12.1

dovecot23-fts-solr-debuginfo-2.3.15-lp152.2.12.1

dovecot23-fts-squat-2.3.15-lp152.2.12.1

dovecot23-fts-squat-debuginfo-2.3.15-lp152.2.12.1

References

https://www.suse.com/security/cve/CVE-2020-28200.html

https://www.suse.com/security/cve/CVE-2021-29157.html

https://bugzilla.suse.com/1187418

https://bugzilla.suse.com/1187419

https://bugzilla.suse.com/1187420

Severity
important
Lowest
Low
Medium
High
Critical

Announcement ID: openSUSE-SU-2021:1225-1
Rating: moderate
Affected Products: openSUSE Leap 15.2 ble.

Topics%20covered

Topics Covered

security advisory DoS patch attack risks openSUSE Dovecot23 mail services

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Related News

Your message here