Bug 26187

Summary:	dovecot new security issues CVE-2020-7046 and CVE-2020-7957
Product:	Mageia	Reporter:	David Walser <luigiwalser>
Component:	Security	Assignee:	Stig-Ørjan Smelror <smelror>
Status:	RESOLVED FIXED	QA Contact:	Sec team <security>
Severity:	normal
Priority:	Normal
Version:	Cauldron
Target Milestone:	---
Hardware:	All
OS:	Linux
Whiteboard:
Source RPM:	dovecot-2.3.9.2-1.mga8.src.rpm	CVE:
Status comment:

Description David Walser 2020-02-12 14:21:40 CET

Upstream has issued advisories today (February 12):
https://dovecot.org/pipermail/dovecot-news/2020-February/000431.html
https://dovecot.org/pipermail/dovecot-news/2020-February/000430.html

The issues are fixed upstream in 2.3.9.3:
https://dovecot.org/pipermail/dovecot-news/2020-February/000429.html

Comment 1 David Walser 2020-02-12 15:30:46 CET

Fixed in dovecot-2.3.9.3-1.mga8 by Stig-Ørjan.

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Comment 2 David Walser 2020-02-20 23:05:19 CET

Fedora has issued advisories for this today (February 20):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/NJXHOUT3FH2DJNMACSX4GHPP4MUV4UKA/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/6XYT55WH372BJOXCJRKBDIFGBMPVOIDT/

The updated from 2.3.4 and 2.3.7, even though those supposedly aren't vulnerable, but don't give bug links that might say whether the older versions are vulnerable (the upstream advisories just say 2.3.9 is).  Will reopen if other distros do it.