Stay Secure with the Latest Linux Advisories
Refine advisories
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security advisories
We found -6 articles for you...
98
security advisorymoderate severityred hat enterpriseRed Hat Enterprise Linux 8 RHSA-2022-1950-01 Moderate Plaintext Injection
An update for dovecot is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: dovecot security update Advisory ID: RHSA-2022:1950-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2022:1950 Issue date: 2022-05-10 CVE Names: CVE-2021-33515 ==================================================================== 1. Summary: An update for dovecot is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat CodeReady Linux Builder (v. 8) - aarch64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64 3. Description: Dovecot is an IMAP server for Linux and other UNIX-like systems, written primarily with security in mind. It also contains a small POP3 server, and supports e-mail in either the maildir or mbox format. The SQL drivers and authentication plug-ins are provided as subpackages. The following packages have been upgraded to a later upstream version: dovecot (2.3.16). (BZ#1980014) Security Fix(es): * dovecot: plaintext commands injection (CVE-2021-33515) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailedinformation on changes in this release, see the Red Hat Enterprise Linux 8.6 Release Notes linked from the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1973610 - CVE-2021-33515 dovecot: plaintext commands injection 1974508 - Dovecot 2.3.8 regression - can not replicate using dsync 6. Package List: Red Hat Enterprise Linux AppStream (v.8): Source: dovecot-2.3.16-2.el8.src.rpm aarch64: dovecot-2.3.16-2.el8.aarch64.rpm dovecot-debuginfo-2.3.16-2.el8.aarch64.rpm dovecot-debugsource-2.3.16-2.el8.aarch64.rpm dovecot-mysql-2.3.16-2.el8.aarch64.rpm dovecot-mysql-debuginfo-2.3.16-2.el8.aarch64.rpm dovecot-pgsql-2.3.16-2.el8.aarch64.rpm dovecot-pgsql-debuginfo-2.3.16-2.el8.aarch64.rpm dovecot-pigeonhole-2.3.16-2.el8.aarch64.rpm dovecot-pigeonhole-debuginfo-2.3.16-2.el8.aarch64.rpm ppc64le: dovecot-2.3.16-2.el8.ppc64le.rpm dovecot-debuginfo-2.3.16-2.el8.ppc64le.rpm dovecot-debugsource-2.3.16-2.el8.ppc64le.rpm dovecot-mysql-2.3.16-2.el8.ppc64le.rpm dovecot-mysql-debuginfo-2.3.16-2.el8.ppc64le.rpm dovecot-pgsql-2.3.16-2.el8.ppc64le.rpm dovecot-pgsql-debuginfo-2.3.16-2.el8.ppc64le.rpm dovecot-pigeonhole-2.3.16-2.el8.ppc64le.rpm dovecot-pigeonhole-debuginfo-2.3.16-2.el8.ppc64le.rpm s390x: dovecot-2.3.16-2.el8.s390x.rpm dovecot-debuginfo-2.3.16-2.el8.s390x.rpm dovecot-debugsource-2.3.16-2.el8.s390x.rpm dovecot-mysql-2.3.16-2.el8.s390x.rpm dovecot-mysql-debuginfo-2.3.16-2.el8.s390x.rpm dovecot-pgsql-2.3.16-2.el8.s390x.rpm dovecot-pgsql-debuginfo-2.3.16-2.el8.s390x.rpm dovecot-pigeonhole-2.3.16-2.el8.s390x.rpm dovecot-pigeonhole-debuginfo-2.3.16-2.el8.s390x.rpm x86_64: dovecot-2.3.16-2.el8.x86_64.rpm dovecot-debuginfo-2.3.16-2.el8.x86_64.rpm dovecot-debugsource-2.3.16-2.el8.x86_64.rpm dovecot-mysql-2.3.16-2.el8.x86_64.rpm dovecot-mysql-debuginfo-2.3.16-2.el8.x86_64.rpm dovecot-pgsql-2.3.16-2.el8.x86_64.rpm dovecot-pgsql-debuginfo-2.3.16-2.el8.x86_64.rpm dovecot-pigeonhole-2.3.16-2.el8.x86_64.rpm dovecot-pigeonhole-debuginfo-2.3.16-2.el8.x86_64.rpm Red Hat CodeReady Linux Builder (v.8): aarch64: dovecot-debuginfo-2.3.16-2.el8.aarch64.rpm dovecot-debugsource-2.3.16-2.el8.aarch64.rpm dovecot-devel-2.3.16-2.el8.aarch64.rpm dovecot-mysql-debuginfo-2.3.16-2.el8.aarch64.rpm dovecot-pgsql-debuginfo-2.3.16-2.el8.aarch64.rpm dovecot-pigeonhole-debuginfo-2.3.16-2.el8.aarch64.rpm ppc64le: dovecot-debuginfo-2.3.16-2.el8.ppc64le.rpm dovecot-debugsource-2.3.16-2.el8.ppc64le.rpm dovecot-devel-2.3.16-2.el8.ppc64le.rpm dovecot-mysql-debuginfo-2.3.16-2.el8.ppc64le.rpm dovecot-pgsql-debuginfo-2.3.16-2.el8.ppc64le.rpm dovecot-pigeonhole-debuginfo-2.3.16-2.el8.ppc64le.rpm s390x: dovecot-debuginfo-2.3.16-2.el8.s390x.rpm dovecot-debugsource-2.3.16-2.el8.s390x.rpm dovecot-devel-2.3.16-2.el8.s390x.rpm dovecot-mysql-debuginfo-2.3.16-2.el8.s390x.rpm dovecot-pgsql-debuginfo-2.3.16-2.el8.s390x.rpm dovecot-pigeonhole-debuginfo-2.3.16-2.el8.s390x.rpm x86_64: dovecot-2.3.16-2.el8.i686.rpm dovecot-debuginfo-2.3.16-2.el8.i686.rpm dovecot-debuginfo-2.3.16-2.el8.x86_64.rpm dovecot-debugsource-2.3.16-2.el8.i686.rpm dovecot-debugsource-2.3.16-2.el8.x86_64.rpm dovecot-devel-2.3.16-2.el8.i686.rpm dovecot-devel-2.3.16-2.el8.x86_64.rpm dovecot-mysql-debuginfo-2.3.16-2.el8.i686.rpm dovecot-mysql-debuginfo-2.3.16-2.el8.x86_64.rpm dovecot-pgsql-debuginfo-2.3.16-2.el8.i686.rpm dovecot-pgsql-debuginfo-2.3.16-2.el8.x86_64.rpm dovecot-pigeonhole-debuginfo-2.3.16-2.el8.i686.rpm dovecot-pigeonhole-debuginfo-2.3.16-2.el8.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2021-33515 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.6_release_notes/ 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPGv1 iQIVAwUBYnqRkdzjgjWX9erEAQhVQw/+IDKZZQm+xGb+HkNrgFv61d5uFVFNdjCr 1jnKHNCG7yJRY3Fn0vcvuJg5YkPEowVakLOBL7wj7YHhCiG8DetUxKJ4JV6fiGhT nQBH4UzoJCN8y5OFVSnBv0ROOcTuO5pmOxQMTsf8oxKK2mNkQEEOPJhPK9eFB48O soZaxU6jADJ456gWX5Fl7rf+0jKvuw9HA2r87Z0FbVfhAIAzZagotm6WS/lBghrm PbbGb9OjgCATirEa9K5KHVvTXSWMF+UEAVNT5mZ5UXnMbmH9BmN38aGKnc+IUcP7 5r0qRbg6uHGWXwMn5OFh2BZQ+I+zFg8oGr15gU1MTJDSoLrLnZO5hP1B0YvNqc6j BYHM8PGO3DrDNdWeqd0XwjHG5Ia09Kbmoqtd5If/zUq+oUmzGoiSChbs5rodJFhS yd8UHANuveHTxmY8fLuSZ6+rW2MyF3w7y1g7oHTw6Lxi4n0nmJ00rhJAIBvLkc5x Fmo0/jY10W4N/+xY7aDRHsQmHwXOOsKmDUfmZPcZ3HsFUqJcR7n0otCUsYsaw5up kT6dqOYGHm/L3wJutfBq6jv+V6tVc2eOduv/+OOW9V/U4eScZS0nArNIuzFZT+W8 x2NM6oamUgIwzLOgX8XKYYdwWQ4V2DvX3BLjNk2wjtsLjxqGbG1D1mKMkUH3egVh LNFu47vy0T8=fMfF -----END PGP SIGNATURE----- -- RHSA-announce mailing list
May 10, 2022
Red Hat
89
security advisoryfedoraauthentication issueFedora 20 Dovecot Security Advisory - SSL Crash and Login Issues
fixes CVE-2015-3420: SSL/TLS handshake failures leading to a crash of the login process - dovecot updated to 2.2.16 - auth: Don't crash if master user login is attempted without any configured master=yes passdbs - Parsing UTF-8 text for mails could have caused broken results. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2015-7159 2015-04-29 08:02:54 -------------------------------------------------------------------------------- Name : dovecot Product : Fedora 20 Version : 2.2.16 Release : 2.fc20 URL : Summary : Secure imap and pop3 server Description : Dovecot is an IMAP server for Linux/UNIX-like systems, written with security primarily in mind. It also contains a small POP3 server. It supports mail in either of maildir or mbox formats. The SQL drivers and authentication plug-ins are in their subpackages. -------------------------------------------------------------------------------- Update Information: fixes CVE-2015-3420: SSL/TLS handshake failures leading to a crash of the login process - dovecot updated to 2.2.16 - auth: Don't crash if master user login is attempted without any configured master=yes passdbs - Parsing UTF-8 text for mails could have caused broken results sometimes if buffering was split in the middle of a UTF-8 character. This affected at least searching messages. - String sanitization for some logged output wasn't done properly: UTF-8 text could have been truncated wrongly or the truncation may not have happened at all. - fts-lucene: Lookups from virtual mailbox consisting of over 32 physical mailboxes could have caused crashes. - dovecot updated to 2.2.16 - auth: Don't crash if master user login is attempted without any configured master=yes passdbs - Parsing UTF-8 text for mails could have caused broken results sometimes if buffering was split in the middle of a UTF-8 character. This affected at least searching messages. - String sanitizationfor some logged output wasn't done properly: UTF-8 text could have been truncated wrongly or the truncation may not have happened at all. - fts-lucene: Lookups from virtual mailbox consisting of over 32 physical mailboxes could have caused crashes. -------------------------------------------------------------------------------- ChangeLog: * Tue Apr 28 2015 Michal Hlavinka - 1:2.2.16-2 - fix CVE-2015-3420: SSL/TLS handshake failures leading to a crash of the login process * Mon Mar 16 2015 Michal Hlavinka - 1:2.2.16-1 - dovecot updated to 2.2.16 - auth: Don't crash if master user login is attempted without any configured master=yes passdbs - Parsing UTF-8 text for mails could have caused broken results sometimes if buffering was split in the middle of a UTF-8 character. This affected at least searching messages. - String sanitization for some logged output wasn't done properly: UTF-8 text could have been truncated wrongly or the truncation may not have happened at all. - fts-lucene: Lookups from virtual mailbox consisting of over 32 physical mailboxes could have caused crashes. * Thu Feb 5 2015 Michal Hlavinka - 1:2.2.15-3 - fix mbox istream crashes (#1189198, #1186504) * Mon Jan 5 2015 Michal Hlavinka - 1:2.2.15-2 - fix crash related to logging BYE notifications (#1176282) - update pigeonhole to 0.4.6 * Thu Oct 30 2014 Michal Hlavinka - 1:2.2.15-1 - dovecot updated to 2.2.15 - various race condition fixes to LAYOUT=index - v2.2.14 virtual plugin crashed in some situations * Fri Oct 17 2014 Michal Hlavinka - 1:2.2.14-1 - dovecot updated to 2.2.14, pigeonhole updated to 0.4.3 - fixed several race conditions with dovecot.index.cache handling that may have caused unnecessary "cache is corrupted" errors. - auth: If auth client listed userdb and disconnected before finishing, the auth worker process got stuck - imap-login, pop3-login: Fixed potential crashes when client disconnected unexpectedly. - imap proxy: The connection was hanging in some usage patterns. * Thu Aug 212014 Michal Hlavinka - 1:2.2.13-2 - use network-online target instead of just network (#1119814) * Mon May 12 2014 Michal Hlavinka - 1:2.2.13-1 - dovecot updated to 2.2.13 - fixes CVE-2014-3430: denial of service through maxxing out SSL connections - pop3 server was still crashing in v2.2.12 - maildir: Various fixes and improvements to handling compressed mails - fts-lucene, fts-solr: Fixed crash on search when the index contained duplicate entries. - mail_attachment_dir: Attachments with the last base64-encoded line longer than the rest wasn't handled correctly. - IMAP: SEARCH/SORT PARTIAL was handled completely wrong in v2.2.11+ - acl: Global ACL file handling was broken when multiple entries matched the mailbox name * Fri Feb 14 2014 Michal Hlavinka - 1:2.2.12-1 - dovecot updated to 2.2.12 - fixes pop3 crash * Thu Feb 13 2014 Michal Hlavinka - 1:2.2.11-1 - dovecot updated to 2.2.11 - imap: SEARCH/SORT PARTIAL reponses may have been too large. - doveadm backup: Fixed assert-crash when syncing mailbox deletion. * Thu Jan 2 2014 Michal Hlavinka - 1:2.2.10-1 - dovecot updated to 2.2.10 - quota-status: quota_grace was ignored - ldap: Fixed memory leak with auth_bind=yes and without auth_bind_userdn. - imap: Don't send HIGHESTMODSEQ anymore on SELECT/EXAMINE when CONDSTORE/QRESYNC has never before been enabled for the mailbox. - imap: Fixes to handling mailboxes without permanent modseqs. (When [NOMODSEQ] is returned by SELECT, mainly with in-memory indexes.) - imap: Various fixes to METADATA support. - stats plugin: Processes that only temporarily dropped privileges (e.g. indexer-worker) may have been logging errors about not being able to open /proc/self/io. * Mon Nov 25 2013 Michal Hlavinka - 1:2.2.9-1 - improved cache file handling exposed several old bugs related to fetching mail headers. - iostream handling changes were causing some connections to be disconnected before flushing their output * Wed Nov 20 2013 Michal Hlavinka - 1:2.2.8-1 - Fixed infinite loop in messageparsing if message ends with "--boundary" and CR (without LF). Messages saved via SMTP/LMTP can't trigger this, because messages must end with an "LF.". A user could trigger this for him/herself though. - lmtp: Client was sometimes disconnected before all the output was sent to it. - replicator: Database wasn't being exported to disk every 15 minutes as it should have. Instead it was being imported, causing "doveadm replicator remove" commands to not work very well. -------------------------------------------------------------------------------- References: [ 1 ] Bug #1216057 - CVE-2015-3420 dovecot: SSL/TLS handshake failures leading to a crash of the login process. https://bugzilla.redhat.com/show_bug.cgi?id=1216057 -------------------------------------------------------------------------------- This update can be installed with the "yum" update program. Use su -c 'yum update dovecot' at the command line. For more information, refer to "Managing Software with yum", available at . All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at -------------------------------------------------------------------------------- _______________________________________________ package-announce mailing list
May 19, 2015
•Important
Fedora
98
security advisoryRed Hatlow severityRed Hat Enterprise Linux 5 RHSA-2008:0297-02 Low: Dovecot Security Update
An updated dovecot package that fixes several security issues and various bugs is now available for Red Hat Enterprise Linux 5. This update has been rated as having low security impact by the Red Hat Security Response Team.. ==================================================================== Red Hat Security Advisory Synopsis: Low: dovecot security and bug fix update Advisory ID: RHSA-2008:0297-02 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2008:0297.html Issue date: 2008-05-20 Updated on: 2008-05-21 CVE Names: CVE-2007-2231 CVE-2007-4211 CVE-2007-6598 CVE-2008-1199 ==================================================================== 1. Summary: An updated dovecot package that fixes several security issues and various bugs is now available for Red Hat Enterprise Linux 5. This update has been rated as having low security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 3. Description: Dovecot is an IMAP server for Linux and UNIX-like systems, primarily written with security in mind. A flaw was discovered in the way Dovecot handled the "mail_extra_groups" option. An authenticated attacker with local shell access could leverage this flaw to read, modify, or delete other users mail that is stored on the mail server. (CVE-2008-1199) This issue did not affect the default Red Hat Enterprise Linux 5 Dovecot configuration. This update adds two new configuration options --"mail_privileged_group" and "mail_access_groups" -- to minimize the usage of additional privileges. A directory traversal flaw was discovered in Dovecot's zlib plug-in. An authenticated user could use this flaw to view other compressed mailboxes with the permissions of the Dovecot process. (CVE-2007-2231) Aflaw was found in the Dovecot ACL plug-in. User with only insert permissions for a mailbox could use the "COPY" and "APPEND" commands to set additional message flags. (CVE-2007-4211) A flaw was found in a way Dovecot cached LDAP query results in certain configurations. This could possibly allow authenticated users to log in as a different user who has the same password. (CVE-2007-6598) As well, this updated package fixes the following bugs: * configuring "userdb" and "passdb" to use LDAP caused Dovecot to hang. A segmentation fault may have occurred. In this updated package, using an LDAP backend for "userdb" and "passdb" no longer causes Dovecot to hang. * the Dovecot "login_process_size" limit was configured for 32-bit systems. On 64-bit systems, when Dovecot was configured to use either IMAP or POP3, the log in processes crashed with out-of-memory errors. Errors such as the following were logged: pop3-login: pop3-login: error while loading shared libraries: libsepol.so.1: failed to map segment from shared object: Cannot allocate memory In this updated package, the "login_process_size" limit is correctly configured on 64-bit systems, which resolves this issue. Note: this updated package upgrades dovecot to version 1.0.7. For further details, refer to the Dovecot changelog: Users of dovecot are advised to upgrade to this updated package, which resolves these issues. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at 5. Bugs fixed (http://bugzilla.redhat.com/): 238439 - CVE-2007-2231 Directory traversal in dovecot with zlib plugin 245249 - Dovecot hangs while using ldap backend. 251007 - CVE-2007-4211 Dovecot possible privilege ascalation in ACL plugin 253363 - Dovecot pop3-login/imap-login crash with OOM error 331441 - Please consider upgradingDovecot to 1.0rc23 at least 380401 - tracker bug for 1.0.7 rebase 427575 - CVE-2007-6598: dovecot LDAP+auth cache user login mixup 436927 - CVE-2008-1199 dovecot: insecure mail_extra_groups option 6. Package List: RHEL Desktop Workstation (v. 5 client): Source: i386: dovecot-1.0.7-2.el5.i386.rpm dovecot-debuginfo-1.0.7-2.el5.i386.rpm x86_64: dovecot-1.0.7-2.el5.x86_64.rpm dovecot-debuginfo-1.0.7-2.el5.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: i386: dovecot-1.0.7-2.el5.i386.rpm dovecot-debuginfo-1.0.7-2.el5.i386.rpm ia64: dovecot-1.0.7-2.el5.ia64.rpm dovecot-debuginfo-1.0.7-2.el5.ia64.rpm ppc: dovecot-1.0.7-2.el5.ppc.rpm dovecot-debuginfo-1.0.7-2.el5.ppc.rpm s390x: dovecot-1.0.7-2.el5.s390x.rpm dovecot-debuginfo-1.0.7-2.el5.s390x.rpm x86_64: dovecot-1.0.7-2.el5.x86_64.rpm dovecot-debuginfo-1.0.7-2.el5.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key#package 7. References: https://www.cve.org/CVERecord?id=CVE-2007-2231 https://www.cve.org/CVERecord?id=CVE-2007-4211 https://www.cve.org/CVERecord?id=CVE-2007-6598 https://www.cve.org/CVERecord?id=CVE-2008-1199 https://access.redhat.com/security/updates/classification#low 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2008 Red Hat, Inc. . Red Hat Security Advisory Synopsis: Low: dovecot security and bug fix update Advisory ID: RHSA-2008:. updated, dovecot, package, fixes, security, various. . Severity: Low. LinuxSecurity.com Team
May 21, 2008
•Low
Red Hat
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!