| Summary: | dovecot new security issue CVE-2019-7524 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | andrewsfarm, davidwhodgins, herman.viaene, mageia, marja11, smelror, sysadmin-bugs |
| Version: | 6 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA6-64-OK MGA6-32-OK | ||
| Source RPM: | dovecot-2.2.36.1-1.mga6.src.rpm | CVE: | |
| Status comment: | Fixed upstream in 2.2.36.3 | ||
|
Description
David Walser
2019-03-28 21:58:27 CET
David Walser
2019-03-28 21:58:40 CET
Status comment:
(none) =>
Fixed upstream in 2.2.36.3 and 2.3.5.1
David Walser
2019-03-28 21:58:45 CET
Whiteboard:
(none) =>
MGA6TOO Assigning to our registered dovecot maintainer. Assignee:
bugsquad =>
shlomif Full advisory for the security issue: https://www.openwall.com/lists/oss-security/2019/03/28/1 Debian has issued an advisory for this on March 28: https://www.debian.org/security/2019/dsa-4418 Dovecot update to 2.3.5.1 on Cauldron. CC:
(none) =>
smelror
Stig-Ørjan Smelror
2019-03-31 19:55:41 CEST
Whiteboard:
MGA6TOO =>
(none) Advisory ======== Dovecot has been updated to version 2.2.36.3 to fix a security issue. CVE-2019-7524: Missing input buffer size validation leads into arbitrary buffer overflow when reading fts or pop3 uidl header from Dovecot index. Exploiting this requires direct write access to the index files. References ========== https://nvd.nist.gov/vuln/detail/CVE-2019-7524 https://www.dovecot.org/list/dovecot-news/2019-March/000402.html Files ===== Uploaded to core/updates_testing dovecot-2.2.36.3-1.mga6 dovecot-devel-2.2.36.3-1.mga6 dovecot-pigeonhole-2.2.36.3-1.mga6 dovecot-pigeonhole-devel-2.2.36.3-1.mga6 dovecot-plugins-gssapi-2.2.36.3-1.mga6 dovecot-plugins-ldap-2.2.36.3-1.mga6 dovecot-plugins-mysql-2.2.36.3-1.mga6 dovecot-plugins-pgsql-2.2.36.3-1.mga6 dovecot-plugins-sqlite-2.2.36.3-1.mga6 from dovecot-2.2.36.3-1.mga6.src.rpm Assignee:
smelror =>
qa-bugs Installed and tested without issues.
System: Mageia 6, x86_64, Intel CPU.
E-mail Clients: kmail (Mageia 6), roundcubemail (php/webmail), k9 (Android).
Tested with an e-mail account with gigabytes of emails, many thousands of emails and hundreds of folders.
Will wait for more tests before marking it OK.
$ uname -a
Linux marte 4.14.106-desktop-1.mga6 #1 SMP Thu Mar 14 18:01:29 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | grep dovecot
dovecot-pigeonhole-2.2.36.3-1.mga6
dovecot-2.2.36.3-1.mga6
$ systemctl status dovecot
● dovecot.service - Dovecot IMAP/POP3 email server
Loaded: loaded (/usr/lib/systemd/system/dovecot.service; disabled; vendor preset: enabled)
Active: active (running) since Seg 2019-04-01 09:04:51 WEST; 1h 2min ago
Docs: man:dovecot(1)
http://wiki2.dovecot.org/
Process: 4406 ExecStop=/usr/bin/doveadm stop (code=exited, status=0/SUCCESS)
Process: 4411 ExecStart=/usr/sbin/dovecot (code=exited, status=0/SUCCESS)
Main PID: 4415 (dovecot)
CPU: 4.320s
CGroup: /system.slice/dovecot.service
├─4415 /usr/sbin/dovecot
├─4417 dovecot/anvil
├─4418 dovecot/log
└─4421 dovecot/config
<SNIP>CC:
(none) =>
mageia This update has been in use for several days without issues, so I'm going to give it the OK for x86_64 (see comment #6 for test details). Whiteboard:
(none) =>
MGA6-64-OK MGA6-32 MATE on IBM Thinkpad R50e No installation issues Repeated test of squirrelmail as per bug 24454, since this uses dovecot. All tests OK. Whiteboard:
MGA6-64-OK =>
MGA6-64-OK MGA6-32-OK Thanks, guys. Validating. Suggested advisory in Comment 5. Keywords:
(none) =>
validated_update
Dave Hodgins
2019-04-10 21:52:19 CEST
Keywords:
(none) =>
advisory An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0141.html Status:
NEW =>
RESOLVED |