Bug 29160

Summary: dovecot new security issues CVE-2020-28200, CVE-2021-29157 and CVE-2021-33515
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, mageia, mageia, smelror, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: dovecot-2.3.14-1.mga9.src.rpm CVE:
Status comment:

Description David Walser 2021-06-21 18:00:37 CEST 
Dovecot has issued advisories today (June 21):
https://dovecot.org/pipermail/dovecot-news/2021-June/000460.html
https://dovecot.org/pipermail/dovecot-news/2021-June/000461.html
https://dovecot.org/pipermail/dovecot-news/2021-June/000462.html

The first issue is fixed upstream in 2.3.15 and the other two are also fixed in 2.3.14.1:
https://dovecot.org/pipermail/dovecot-news/2021-June/000459.html
https://dovecot.org/pipermail/dovecot-news/2021-June/000457.html

Mageia 7 and Mageia 8 are also affected.
David Walser 2021-06-21 18:00:50 CEST

Whiteboard: (none) => MGA8TOO, MGA7TOO
Status comment: (none) => Fixed upstream in 2.3.15

Comment 1 David Walser 2021-06-21 19:15:27 CEST 
Ubuntu has issued an advisory for the last two issues today (June 21):
https://ubuntu.com/security/notices/USN-4993-1
Comment 2 Lewis Smith 2021-06-22 09:04:36 CEST 
Assigning to Stig, who has done recent updates to this.

Assignee: bugsquad => smelror

Comment 3 David Walser 2021-06-25 23:43:34 CEST 
openSUSE has issued an advisory for the last two issues today (June 25):
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/VRGETVIUWL6C53ONKOWQB6XMHGC4U2YM/
Comment 4 David Walser 2021-06-28 14:40:03 CEST 
CVE-2020-28200 is actually fixed in Pigeonhole 0.5.15:
https://dovecot.org/pipermail/dovecot-news/2021-June/000458.html
Comment 5 David Walser 2021-07-01 18:58:54 CEST 
Removing Mageia 7 from whiteboard due to EOL:
https://blog.mageia.org/en/2021/06/08/mageia-7-will-reach-end-of-support-on-30th-of-june-the-king-is-dead-long-live-the-king/

Whiteboard: MGA8TOO, MGA7TOO => MGA8TOO

Comment 6 David Walser 2021-07-06 00:24:58 CEST 
Fedora has issued an advisory for this today (July 5):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/JB2VTJ3G2ILYWH5Y2FTY2PUHT2MD6VMI/
Comment 7 David Walser 2021-09-01 18:07:24 CEST 
openSUSE has issued an advisory for the first two issues on August 31:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/YLFYZS4WAYE6TU4PO3V2JUI7DPQEK73I/
Nicolas Lécureuil 2021-12-14 18:41:46 CET

CC: (none) => mageia

Comment 8 Nicolas Lécureuil 2021-12-14 18:43:12 CET 
already fixed in cauldron.

new version pushed in mga8:


src:
    - dovecot-2.3.17.1-1.mga8

Version: Cauldron => 8
Status comment: Fixed upstream in 2.3.15 => (none)
CC: (none) => smelror
Assignee: smelror => qa-bugs
Whiteboard: MGA8TOO => (none)

Comment 9 David Walser 2021-12-14 18:53:04 CET 
dovecot-pigeonhole-devel-2.3.17.1-1.mga8
dovecot-plugins-ldap-2.3.17.1-1.mga8
dovecot-plugins-pgsql-2.3.17.1-1.mga8
dovecot-plugins-mysql-2.3.17.1-1.mga8
dovecot-plugins-gssapi-2.3.17.1-1.mga8
dovecot-plugins-sqlite-2.3.17.1-1.mga8
dovecot-devel-2.3.17.1-1.mga8
dovecot-pigeonhole-2.3.17.1-1.mga8
dovecot-2.3.17.1-1.mga8
Comment 10 PC LX 2021-12-15 01:18:04 CET 
Installed but failed due to a missing dovecot.service file.

The previously installed dovecot package had a service file.

$ rpm -ql dovecot --root /media/btrfs/.snapshots/marte_root/2021-12-10_16\:58\:15_49___backup/ | grep service
/usr/lib/systemd/system/dovecot.service
$ rpm -ql dovecot | grep service

CC: (none) => mageia

Comment 11 Dave Hodgins 2021-12-15 02:12:35 CET 
Confirmed problem as per comment 10. Adding feedback marker.

Keywords: (none) => feedback
CC: (none) => davidwhodgins

Comment 12 Dave Hodgins 2021-12-15 02:14:09 CET 
To downgrade to the working version use "urpmi --downgrade dovecot-2.3.13-1.mga8".
Comment 13 Stig-Ørjan Smelror 2021-12-15 08:19:15 CET 
New build in progress.

dovecot-2.3.17.1-1.1.mga8
Comment 14 Stig-Ørjan Smelror 2021-12-15 08:42:40 CET 
dovecot-pigeonhole-devel-2.3.17.1-1.1.mga8
dovecot-plugins-ldap-2.3.17.1-1.1.mga8
dovecot-plugins-pgsql-2.3.17.1-1.1.mga8
dovecot-plugins-mysql-2.3.17.1-1.1.mga8
dovecot-plugins-sqlite-2.3.17.1-1.1.mga8
dovecot-plugins-gssapi-2.3.17.1-1.1.mga8
dovecot-devel-2.3.17.1-1.1.mga8
dovecot-pigeonhole-2.3.17.1-1.1.mga8
dovecot-2.3.17.1-1.1.mga8

from dovecot-2.3.17.1-1.1.mga8.src.rpm
Stig-Ørjan Smelror 2021-12-15 08:43:02 CET

Keywords: feedback => (none)

Comment 15 Dave Hodgins 2021-12-15 19:19:53 CET 
Tested with pop3s and imaps accounts within my lan.
Validating the update.

Whiteboard: (none) => MGA8-64-OK
Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Thomas Backlund 2021-12-19 12:36:17 CET

Keywords: (none) => advisory

Comment 16 Mageia Robot 2021-12-19 13:27:19 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0557.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED