Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 488
Alerts This Week
Warning Icon 1 488

SUSE: 2021:2890-2 Moderate: Postfix15 Security Vulnerabilities

suse
Calendar Grey August 31, 2021
Scroller Suse
Dovecot 23 has released a crucial update to address several security vulnerabilities. Users are strongly encouraged to implement the patch promptly to bolster their system's defenses.
An update that solves two vulnerabilities, contains one feature and has one errata is now available

Summary

This update for dovecot23 fixes the following issues: Update dovecot to version 2.3.15 (jsc#SLE-19970): Security issues fixed: - CVE-2021-29157: Dovecot does not correctly escape kid and azp fields in JWT tokens. This may be used to supply attacker controlled keys to validate tokens, if attacker has local access. (bsc#1187418) Local attacker can login as any user and access their emails - CVE-2021-33515: On-path attacker could have injected plaintext commands before STARTTLS negotiation that would be executed after STARTTLS finished with the client. (bsc#1187419) Attacker can potentially steal user credentials and mails * Disconnection log messages are now more standardized across services. They also always now start with "Disconnected" prefix. * Dovecot now depends on libsystemd for systemd integration.

References

#1187418 #1187419 #1187420 SLE-19970

Cross- CVE-2020-28200 CVE-2021-29157

CVSS scores:

CVE-2020-28200 (NVD) : 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

CVE-2020-28200 (SUSE): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

CVE-2021-29157 (SUSE): 6.7 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Affected Products:

SUSE Linux Enterprise Server for SAP 15

SUSE Linux Enterprise Server 15-LTSS

SUSE Linux Enterprise High Performance Computing 15-LTSS

SUSE Linux Enterprise High Performance Computing 15-ESPOS

https://www.suse.com/security/cve/CVE-2020-28200.html

https://www.suse.com/security/cve/CVE-2021-29157.html

https://bugzilla.suse.com/1187418

https://bugzilla.suse.com/1187419

https://bugzilla.suse.com/1187420

Announcement ID: SUSE-SU-2021:2890-1
Rating: moderate

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.