Upstream has released 2.2.36.3 and 2.3.5.1 today (March 28), fixing a security issue: https://www.dovecot.org/list/dovecot-news/2019-March/000402.html https://www.dovecot.org/list/dovecot-news/2019-March/000401.html Mageia 6 is also affected.
Status comment: (none) => Fixed upstream in 2.2.36.3 and 2.3.5.1
Whiteboard: (none) => MGA6TOO
Assigning to our registered dovecot maintainer.
Assignee: bugsquad => shlomifCC: (none) => marja11
Full advisory for the security issue: https://www.openwall.com/lists/oss-security/2019/03/28/1
Debian has issued an advisory for this on March 28: https://www.debian.org/security/2019/dsa-4418
Dovecot update to 2.3.5.1 on Cauldron.
CC: (none) => smelror
Whiteboard: MGA6TOO => (none)Version: Cauldron => 6Status comment: Fixed upstream in 2.2.36.3 and 2.3.5.1 => Fixed upstream in 2.2.36.3Source RPM: dovecot-2.3.5-1.mga7.src.rpm => dovecot-2.2.36.1-1.mga6.src.rpmAssignee: shlomif => smelror
Advisory ======== Dovecot has been updated to version 2.2.36.3 to fix a security issue. CVE-2019-7524: Missing input buffer size validation leads into arbitrary buffer overflow when reading fts or pop3 uidl header from Dovecot index. Exploiting this requires direct write access to the index files. References ========== https://nvd.nist.gov/vuln/detail/CVE-2019-7524 https://www.dovecot.org/list/dovecot-news/2019-March/000402.html Files ===== Uploaded to core/updates_testing dovecot-2.2.36.3-1.mga6 dovecot-devel-2.2.36.3-1.mga6 dovecot-pigeonhole-2.2.36.3-1.mga6 dovecot-pigeonhole-devel-2.2.36.3-1.mga6 dovecot-plugins-gssapi-2.2.36.3-1.mga6 dovecot-plugins-ldap-2.2.36.3-1.mga6 dovecot-plugins-mysql-2.2.36.3-1.mga6 dovecot-plugins-pgsql-2.2.36.3-1.mga6 dovecot-plugins-sqlite-2.2.36.3-1.mga6 from dovecot-2.2.36.3-1.mga6.src.rpm
Assignee: smelror => qa-bugs
Installed and tested without issues. System: Mageia 6, x86_64, Intel CPU. E-mail Clients: kmail (Mageia 6), roundcubemail (php/webmail), k9 (Android). Tested with an e-mail account with gigabytes of emails, many thousands of emails and hundreds of folders. Will wait for more tests before marking it OK. $ uname -a Linux marte 4.14.106-desktop-1.mga6 #1 SMP Thu Mar 14 18:01:29 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux $ rpm -qa | grep dovecot dovecot-pigeonhole-2.2.36.3-1.mga6 dovecot-2.2.36.3-1.mga6 $ systemctl status dovecot ● dovecot.service - Dovecot IMAP/POP3 email server Loaded: loaded (/usr/lib/systemd/system/dovecot.service; disabled; vendor preset: enabled) Active: active (running) since Seg 2019-04-01 09:04:51 WEST; 1h 2min ago Docs: man:dovecot(1) http://wiki2.dovecot.org/ Process: 4406 ExecStop=/usr/bin/doveadm stop (code=exited, status=0/SUCCESS) Process: 4411 ExecStart=/usr/sbin/dovecot (code=exited, status=0/SUCCESS) Main PID: 4415 (dovecot) CPU: 4.320s CGroup: /system.slice/dovecot.service ├─4415 /usr/sbin/dovecot ├─4417 dovecot/anvil ├─4418 dovecot/log └─4421 dovecot/config <SNIP>
CC: (none) => mageia
This update has been in use for several days without issues, so I'm going to give it the OK for x86_64 (see comment #6 for test details).
Whiteboard: (none) => MGA6-64-OK
MGA6-32 MATE on IBM Thinkpad R50e No installation issues Repeated test of squirrelmail as per bug 24454, since this uses dovecot. All tests OK.
Whiteboard: MGA6-64-OK => MGA6-64-OK MGA6-32-OKCC: (none) => herman.viaene
Thanks, guys. Validating. Suggested advisory in Comment 5.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0141.html
Status: NEW => RESOLVEDResolution: (none) => FIXED