Stay Secure with the Latest Linux Advisories
Refine advisories
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security advisories
We found -3 articles for you...
202
security advisoryauthentication issueemail accessopenSUSE Leap 15.3: 2021:2123-1 Important: Dovecot23 Access Issues
An update that fixes two vulnerabilities is now available. . openSUSE Security Update: Security update for dovecot23 ______________________________________________________________________________ Announcement ID: openSUSE-SU-2021:2123-1 Rating: important References: #1187418 #1187419 Cross-References: CVE-2021-29157 CVE-2021-33515 CVSS scores: CVE-2021-29157 (SUSE): 6.7 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N CVE-2021-33515 (NVD) : 4.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N CVE-2021-33515 (SUSE): 4.2 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N Affected Products: openSUSE Leap 15.3 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for dovecot23 fixes the following issues: - CVE-2021-29157: Local attacker can login as any user and access their emails (bsc#1187418) - CVE-2021-33515: Attacker can potentially steal user credentials and mails (bsc#1187419) Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 15.3: zypper in -t patch openSUSE-SLE-15.3-2021-2123=1 Package List: - openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64): dovecot23-2.3.11.3-55.1 dovecot23-backend-mysql-2.3.11.3-55.1 dovecot23-backend-mysql-debuginfo-2.3.11.3-55.1 dovecot23-backend-pgsql-2.3.11.3-55.1 dovecot23-backend-pgsql-debuginfo-2.3.11.3-55.1 dovecot23-backend-sqlite-2.3.11.3-55.1 dovecot23-backend-sqlite-debuginfo-2.3.11.3-55.1 dovecot23-debuginfo-2.3.11.3-55.1 dovecot23-debugsource-2.3.11.3-55.1 dovecot23-devel-2.3.11.3-55.1 dovecot23-fts-2.3.11.3-55.1 dovecot23-fts-debuginfo-2.3.11.3-55.1 dovecot23-fts-lucene-2.3.11.3-55.1 dovecot23-fts-lucene-debuginfo-2.3.11.3-55.1 dovecot23-fts-solr-2.3.11.3-55.1 dovecot23-fts-solr-debuginfo-2.3.11.3-55.1 dovecot23-fts-squat-2.3.11.3-55.1 dovecot23-fts-squat-debuginfo-2.3.11.3-55.1 References: https://www.suse.com/security/cve/CVE-2021-29157.html https://www.suse.com/security/cve/CVE-2021-33515.html https://bugzilla.suse.com/1187418 https://bugzilla.suse.com/1187419 . Crucial announcement for Fedora highlights severe Postfix flaws impacting mail services and data integrity.. Dovecot Update, OpenSUSE Security, Access Control Issues. . Severity: Important. LinuxSecurity.com Team
Jul 10, 2021
•Important
OpenSUSE
89
security advisoryfedoraupdateFedora 32: FEDORA-2021-c90cb486f7 Medium: Dovecot IMAP Access Issue
fix rundir location ---- - dovecot updated to 2.3.13, pigeonhole to 0.5.13 - CVE-2020-24386: Specially crafted command can cause IMAP hibernate to allow logged in user to access other people's emails and filesystem information. - Metric filter and global event filter variable syntax changed to a SQL-like format. - auth: Added new aliases for %{variables}. Usage of the old ones is. --------------------------------------------------------------------------------Fedora Update Notification FEDORA-2021-c90cb486f7 2021-01-20 01:26:41.921779 --------------------------------------------------------------------------------Name : dovecot Product : Fedora 32 Version : 2.3.13 Release : 2.fc32 URL : https://dovecot.org/ Summary : Secure imap and pop3 server Description : Dovecot is an IMAP server for Linux/UNIX-like systems, written with security primarily in mind. It also contains a small POP3 server. It supports mail in either of maildir or mbox formats. The SQL drivers and authentication plug-ins are in their subpackages. --------------------------------------------------------------------------------Update Information: fix rundir location ---- - dovecot updated to 2.3.13, pigeonhole to 0.5.13 -CVE-2020-24386: Specially crafted command can cause IMAP hibernate to allow logged in user to access other people's emails and filesystem information. -Metric filter and global event filter variable syntax changed to a SQL-like format. - auth: Added new aliases for %{variables}. Usage of the old ones is possible, but discouraged. - auth: Removed RPA auth mechanism, SKEY auth mechanism, NTLM auth mechanism and related password schemes. - auth: Removed passdb-sia, passdb-vpopmail and userdb-vpopmail. - auth: Removed postfix postmap socket --------------------------------------------------------------------------------ChangeLog: * Thu Jan 7 2021 Michal Hlavinka - 1:2.3.13-2 - fix rundir location * Wed Jan 6 2021 Michal Hlavinka - 1:2.3.13-1 - fixrelease number * Mon Jan 4 2021 Michal Hlavinka - 1:2.3.13-0 - dovecot updated to 2.3.13, pigeonhole to 0.5.13 - CVE-2020-24386: Specially crafted command can cause IMAP hibernate to allow logged in user to access other people's emails and filesystem information. - Metric filter and global event filter variable syntax changed to a SQL-like format. - auth: Added new aliases for %{variables}. Usage of the old ones is possible, but discouraged. - auth: Removed RPA auth mechanism, SKEY auth mechanism, NTLM auth mechanism and related password schemes. - auth: Removed passdb-sia, passdb-vpopmail and userdb-vpopmail. - auth: Removed postfix postmap socket * Wed Oct 21 2020 Michal Hlavinka - 1:2.3.11.3-7 - change run directory from /var/run to /run (#1777922) * Wed Oct 21 2020 Michal Hlavinka - 1:2.3.11.3-6 - use bigger default key size (#1882939) --------------------------------------------------------------------------------References: [ 1 ] Bug #1912455 - CVE-2020-24386 dovecot: IMAP hibernation function allows mail access https://bugzilla.redhat.com/show_bug.cgi?id=1912455 [ 2 ] Bug #1912460 - CVE-2020-25275 dovecot: Denial of service via mail MIME parsing https://bugzilla.redhat.com/show_bug.cgi?id=1912460 --------------------------------------------------------------------------------This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2021-c90cb486f7' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ --------------------------------------------------------------------------------_______________________________________________ package-announce mailing list --
Jan 19, 2021
•Medium
Fedora
202
security advisorycriticalemail securityopenSUSE Leap 15.1: 2021:0072-1 Important Dovecot23 Update
An update that fixes three vulnerabilities is now available. . openSUSE Security Update: Security update for dovecot23 ______________________________________________________________________________ Announcement ID: openSUSE-SU-2021:0072-1 Rating: important References: #1174920 #1180405 #1180406 Cross-References: CVE-2020-12100 CVE-2020-24386 CVE-2020-25275 Affected Products: openSUSE Leap 15.1 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for dovecot23 fixes the following issues: Security issues fixed: - CVE-2020-12100: Fixed a resource exhaustion caused by deeply nested MIME parts (bsc#1174920). - CVE-2020-24386: Fixed an issue with IMAP hibernation that allowed users to access other users' emails (bsc#1180405). - CVE-2020-25275: Fixed a crash when the 10000th MIME part was message/rfc822 (bsc#1180406). Non-security issues fixed: - Pigeonhole was updated to version 0.5.11. - Dovecot was updated to version 2.3.11.3. This update was imported from the SUSE:SLE-15-SP1:Update update project. Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 15.1: zypper in -t patch openSUSE-2021-72=1 Package List: - openSUSE Leap 15.1 (x86_64): dovecot23-2.3.11.3-lp151.2.15.1 dovecot23-backend-mysql-2.3.11.3-lp151.2.15.1 dovecot23-backend-mysql-debuginfo-2.3.11.3-lp151.2.15.1 dovecot23-backend-pgsql-2.3.11.3-lp151.2.15.1 dovecot23-backend-pgsql-debuginfo-2.3.11.3-lp151.2.15.1 dovecot23-backend-sqlite-2.3.11.3-lp151.2.15.1 dovecot23-backend-sqlite-debuginfo-2.3.11.3-lp151.2.15.1 dovecot23-debuginfo-2.3.11.3-lp151.2.15.1 dovecot23-debugsource-2.3.11.3-lp151.2.15.1 dovecot23-devel-2.3.11.3-lp151.2.15.1 dovecot23-fts-2.3.11.3-lp151.2.15.1 dovecot23-fts-debuginfo-2.3.11.3-lp151.2.15.1 dovecot23-fts-lucene-2.3.11.3-lp151.2.15.1 dovecot23-fts-lucene-debuginfo-2.3.11.3-lp151.2.15.1 dovecot23-fts-solr-2.3.11.3-lp151.2.15.1 dovecot23-fts-solr-debuginfo-2.3.11.3-lp151.2.15.1 dovecot23-fts-squat-2.3.11.3-lp151.2.15.1 dovecot23-fts-squat-debuginfo-2.3.11.3-lp151.2.15.1 References: https://www.suse.com/security/cve/CVE-2020-12100.html https://www.suse.com/security/cve/CVE-2020-24386.html https://www.suse.com/security/cve/CVE-2020-25275.html https://bugzilla.suse.com/1174920 https://bugzilla.suse.com/1180405 https://bugzilla.suse.com/1180406 . Revise configurations addresses important vulnerabilities in dovecot23 for openSUSE Leap 15.1. These three improvements boost both security measures and overall performance.. Dovecot Update, openSUSE Security, Critical Fixes. . Severity: Important. LinuxSecurity.com Team
Jan 16, 2021
•Important
OpenSUSE
203
security advisorycriticalremote accessMageia: 2021-0008 Critical: Dovecot Remote Access and DoS Issues
It was discovered that Dovecot incorrectly handled certain imap hibernation commands. A remote authenticated attacker could possibly use this issue to access other users’ email (CVE-2020-24386). Innokentii Sennovskiy discovered that Dovecot incorrectly handled MIME . MGASA-2021-0008 - Updated dovecot packages fix security vulnerabilities Publication date: 08 Jan 2021 URL: https://advisories.mageia.org/MGASA-2021-0008.html Type: security Affected Mageia releases: 7 CVE: CVE-2020-24386, CVE-2020-25275 It was discovered that Dovecot incorrectly handled certain imap hibernation commands. A remote authenticated attacker could possibly use this issue to access other users’ email (CVE-2020-24386). Innokentii Sennovskiy discovered that Dovecot incorrectly handled MIME parsing. A remote attacker could possibly use this issue to cause Dovecot to crash, resulting in a denial of service (CVE-2020-25275). The dovecot package has been updated to version 2.3.13, fixing these issues and other bugs. See the upstream release announcement for details. References: - https://bugs.mageia.org/show_bug.cgi?id=28012 - https://dovecot.org/pipermail/dovecot-news/2021-January/000450.html - https://dovecot.org/pipermail/dovecot-news/2021-January/000451.html - https://dovecot.org/pipermail/dovecot-news/2021-January/000448.html - https://ubuntu.com/security/notices/USN-4674-1 - https://www.cve.org/CVERecord?id=CVE-2020-24386 - https://www.cve.org/CVERecord?id=CVE-2020-25275 SRPMS: - 7/core/dovecot-2.3.13-1.mga7 . New Dovecot updates in Mageia address severe security vulnerabilities, including possible remote exploitation and Denial of Service threats.. Dovecot Security, Mageia Update, Remote Access Fix. . Severity: Critical. LinuxSecurity.com Team
Jan 08, 2021
•Critical
Mageia
172
security advisorycriticalubuntuUbuntu 7.10 USN-593-1 Major Dovecot Access Vulnerability Alert
It was discovered that the default configuration of dovecot could allow access to any email files with group "mail" without verifying that a user had valid rights. An attacker able to create symlinks in their mail directory could exploit this to read or delete another user's email. (CVE-2008-1199) . =========================================================== Ubuntu Security Notice USN-593-1 March 26, 2008 dovecot vulnerabilities CVE-2008-1199, CVE-2008-1218 ========================================================== A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 6.10 Ubuntu 7.04 Ubuntu 7.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: dovecot-common 1.0.beta3-3ubuntu5.6 dovecot-imapd 1.0.beta3-3ubuntu5.6 dovecot-pop3d 1.0.beta3-3ubuntu5.6 Ubuntu 6.10: dovecot-common 1.0.rc2-1ubuntu2.3 dovecot-imapd 1.0.rc2-1ubuntu2.3 dovecot-pop3d 1.0.rc2-1ubuntu2.3 Ubuntu 7.04: dovecot-common 1.0.rc17-1ubuntu2.3 dovecot-imapd 1.0.rc17-1ubuntu2.3 dovecot-pop3d 1.0.rc17-1ubuntu2.3 Ubuntu 7.10: dovecot-common 1:1.0.5-1ubuntu2.2 dovecot-imapd 1:1.0.5-1ubuntu2.2 dovecot-pop3d 1:1.0.5-1ubuntu2.2 After a standard system upgrade, additional dovecot configuration changes are needed. ATTENTION: Due to an unavoidable configuration update, the dovecot settings in /etc/dovecot/dovecot.conf need to be updated manually. During the update, a configuration file conflict will be shown. The default setting "mail_extra_groups = mail" should be changed to "mail_privileged_group = mail". If your local configuration uses groups other than "mail", you may need touse the new "mail_access_groups" setting as well. Details follow: It was discovered that the default configuration of dovecot could allow access to any email files with group "mail" without verifying that a user had valid rights. An attacker able to create symlinks in their mail directory could exploit this to read or delete another user's email. (CVE-2008-1199) By default, dovecot passed special characters to the underlying authentication systems. While Ubuntu releases of dovecot are not known to be vulnerable, the authentication routine was proactively improved to avoid potential future problems. (CVE-2008-1218) Updated packages for Ubuntu 6.06 LTS: Source archives: Size/MD5: 482805 f572acb482f90bb083314e880a772806 Size/MD5: 867 f388415adecfb6e6b66821c601202954 Size/MD5: 1360574 5418f9f7fe99e4f10bb82d9fe504138a amd64 architecture (Athlon64, Opteron, EM64T Xeon): Size/MD5: 968546 0a9feb89c2b960cbb283a0a957c1ab3b Size/MD5: 535154 c3fabd531b6c633a48ee9d3dfe5fbea9 Size/MD5: 503144 bb2ae9e81eb6188263827cb87cba29e7 i386 architecture (x86 compatible Intel/AMD): Size/MD5: 842602 3a3b5f8a056546dcad50211b6a66b17e Size/MD5: 487858 735fe4c9291d8f3e2f6ea93df9e6a722 Size/MD5: 458548 a32d03a27e76610ef5e9a5b25adc369d powerpc architecture (Apple Macintosh G3/G4/G5): Size/MD5: 946420 888fd964ff401c9436810f59a56c960e Size/MD5: 528892 65204a0f2de667fcc5bb7097c2973df9 Size/MD5: 496616 8b71cb5999b41bd150d1427090f5266a sparc architecture (Sun SPARC/UltraSPARC): Size/MD5: 859702 096725e1d08fb32b4c30e4cb06a303ee Size/MD5: 494022 69cb816c90fbc8c154860150beb54df1 Size/MD5: 464254 49ef9af48a8bcbc1b43cf64e579c8bac Updated packages for Ubuntu 6.10: Source archives: Size/MD5: 481921 30469a011f337d9ea2af0d5660cdc3bb Size/MD5: 900103e47535573605f059bfe512bbe9e9d Size/MD5: 1257435 e27a248b2ee224e4618aa2f020150041 amd64 architecture (Athlon64, Opteron, EM64T Xeon): Size/MD5: 941192 6d872ad2200983d3c6fb0af0af1689b4 Size/MD5: 389328 d249f6bee773d0302cb500107d5c30f1 Size/MD5: 355572 af818dec4a8102797efe010c52d2f3da i386 architecture (x86 compatible Intel/AMD): Size/MD5: 837862 a2e1e5ab801a81bd7ede896c68b471dc Size/MD5: 356148 fe47879721273c223fdb02b820572c2d Size/MD5: 325538 930636d7b634b371ef7564a54f7ebbc8 powerpc architecture (Apple Macintosh G3/G4/G5): Size/MD5: 930236 0e501c64167c62697a6d35f77723f626 Size/MD5: 387640 e383c12a8ae5f38f99b5605fe615d303 Size/MD5: 354172 3b497cae8495e559124a8a32d0199fec sparc architecture (Sun SPARC/UltraSPARC): Size/MD5: 825242 483e84acb29649b05fd20b0516462e36 Size/MD5: 349766 ae08a2bc0af7693fd3eba475cdefea81 Size/MD5: 318894 b0962827bc67760168431aa08407c40a Updated packages for Ubuntu 7.04: Source archives: Size/MD5: 110359 d45086b091902ffe4c897a37500640ef Size/MD5: 1100 2ebee5689361d891820080b8c03c1b80 Size/MD5: 1512386 881bcc7d2c8fba6d337f3e616a602bf7 amd64 architecture (Athlon64, Opteron, EM64T Xeon): Size/MD5: 1279482 7ca87aed81c784bc5fadcf51df7bb07b Size/MD5: 589038 f7053e7a3037267a13de1b7d7daba6ae Size/MD5: 554270 7f92ed3a933b775a6301b1d8723e60d0 i386 architecture (x86 compatible Intel/AMD): Size/MD5: 1169674 fc5fbc9f8b4c33fb2f773c7767625c79 Size/MD5: 556308 13e0b06665a17c56da6d17ec3af892ca Size/MD5: 523676 681dd1951ef3d61b225930f9ba20f1d4 powerpc architecture (Apple Macintosh G3/G4/G5): Size/MD5: 1296474 b691fd7d6d5a5df7b08af8d732f806e1 Size/MD5: 593374 77b2a2b0bf8f05c5fd8c03887dd0739d Size/MD5: 55884403bde80aa2b1282c9131590cc530e68d sparc architecture (Sun SPARC/UltraSPARC): Size/MD5: 1163166 66565dbe0abf26fa13e1eae8d51f81f8 Size/MD5: 551744 d7858288e8326aad4cff410e5336ce1d Size/MD5: 519076 45e334d300da1c76f5da042d0dbbfe44 Updated packages for Ubuntu 7.10: Source archives: Size/MD5: 116694 c21b8fd1aa899cec34c5428d953ba992 Size/MD5: 1115 74def18e831b00a23b5ee06f36634e55 Size/MD5: 1775898 94b7d29cf44f63f89d538361afa05c40 amd64 architecture (Athlon64, Opteron, EM64T Xeon): Size/MD5: 1822104 aebc0d840798e22dd1794b12f65fb65f Size/MD5: 656608 d3ad8a6801d0be7060a2f57787cd93db Size/MD5: 620032 ed96dadf810230c3f19fb1c07963b551 i386 architecture (x86 compatible Intel/AMD): Size/MD5: 1680262 d4014ff94fd68f928c8b91a2bfbf8143 Size/MD5: 623590 2b42a167edcc0614b6f2b657319bda7d Size/MD5: 590130 2bab04499b1cbf80042248ba3250c585 powerpc architecture (Apple Macintosh G3/G4/G5): Size/MD5: 1840504 d989541e39e1ddad883537907502b0f4 Size/MD5: 659636 cb7c4ca376b74c8e36ae80b14277c25d Size/MD5: 624332 022c275417a9ac846b5ed09eea225e84 sparc architecture (Sun SPARC/UltraSPARC): Size/MD5: 1674688 798e926a5b6180a64fced9c592b38762 Size/MD5: 620580 9fb4843e505d09dcc0374b6bbc4dbb3b Size/MD5: 587500 08bd76dc21c61c368b092d9c6d674e0a --CE+1k2dSO48ffgeK Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature Content-Disposition: inline -----BEGIN PGP SIGNATURE-----Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFH6smuH/9LqRcGPm0RAsDYAJ4gy2CrktcfITTovHOWPiEUiZzNogCfY5Si 2zV7JuuRkvlTGOfGX/L6+Nc=IPqx -----END PGP SIGNATURE-------CE+1k2dSO48ffgeK-- --==============E16377562864982963=Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition:inline --ubuntu-security-announce mailing list
Mar 26, 2008
•Important
Ubuntu
87
security advisorybuffer overflowDebianDebian 2.2: DSA-044-1 Moderate Risk: Mailx Buffer Overflow
The mail program (a simple tool to read and send email) as distributed with Debian GNU/Linux 2.2 has a buffer overflow in the input parsing code.. ------------------------------------------------------------------------ Debian Security Advisory DSA-044-1
Mar 13, 2001
Debian
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!