26187 – dovecot new security issues CVE-2020-7046 and CVE-2020-7957

Bug 26187 - dovecot new security issues CVE-2020-7046 and CVE-2020-7957

Summary: dovecot new security issues CVE-2020-7046 and CVE-2020-7957

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	Cauldron
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	Stig-Ørjan Smelror
QA Contact:	Sec team

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2020-02-12 14:21 CET by David Walser
Modified:	2020-02-20 23:05 CET (History)
CC List:	0 users

See Also:
Source RPM:	dovecot-2.3.9.2-1.mga8.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2020-02-12 14:21:40 CET

Upstream has issued advisories today (February 12):
https://dovecot.org/pipermail/dovecot-news/2020-February/000431.html
https://dovecot.org/pipermail/dovecot-news/2020-February/000430.html

The issues are fixed upstream in 2.3.9.3:
https://dovecot.org/pipermail/dovecot-news/2020-February/000429.html

Comment 1 David Walser 2020-02-12 15:30:46 CET

Fixed in dovecot-2.3.9.3-1.mga8 by Stig-Ørjan.

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Comment 2 David Walser 2020-02-20 23:05:19 CET

Fedora has issued advisories for this today (February 20):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/NJXHOUT3FH2DJNMACSX4GHPP4MUV4UKA/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/6XYT55WH372BJOXCJRKBDIFGBMPVOIDT/

The updated from 2.3.4 and 2.3.7, even though those supposedly aren't vulnerable, but don't give bug links that might say whether the older versions are vulnerable (the upstream advisories just say 2.3.9 is).  Will reopen if other distros do it.

Note You need to log in before you can comment on or make changes to this bug.