Advisory
========

Dovecot has been updated to fix 3 critical security isses.

CVE-2020-12100: Receiving mail with deeply nested MIME parts leads to resource
exhaustion as Dovecot attempts to parse it.
CVE-2020-12673: Dovecot's NTLM implementation does not correctly check message buffer size, which leads to reading past allocation which can lead to crash.
CVE-2020-12674: Dovecot's RPA mechanism implementation accepts zero-length message, which leads to assert-crash later on.

References
==========

https://dovecot.org/pipermail/dovecot-news/2020-August/000441.html
https://dovecot.org/pipermail/dovecot-news/2020-August/000442.html
https://dovecot.org/pipermail/dovecot-news/2020-August/000443.html

Files
=====

Uploaded to core/updates_testing

dovecot-2.3.11.3-1.mga7
dovecot-devel-2.3.11.3-1.mga7
dovecot-pigeonhole-2.3.11.3-1.mga7
dovecot-pigeonhole-devel-2.3.11.3-1.mga7
dovecot-plugins-gssapi-2.3.11.3-1.mga7
dovecot-plugins-ldap-2.3.11.3-1.mga7
dovecot-plugins-mysql-2.3.11.3-1.mga7
dovecot-plugins-pgsql-2.3.11.3-1.mga7
dovecot-plugins-sqlite-2.3.11.3-1.mga7

from dovecot-2.3.11.3-1.mga7.src.rpm

Whiteboard: MGA7TOO => (none)
Version: Cauldron => 7
Assignee: smelror => qa-bugs

Installed and tested without issues.


Tested with various accounts with several GiB of emails. Tested with kmail, roundcubemail and k9 clients.


System: Mageia 7, x86_64, Plasma DE, LXQt DE, Intel CPU, nVidia GPU using nvidia340 proprietary driver.



$ uname -a
Linux marte 5.7.14-desktop-1.mga7 #1 SMP Fri Aug 7 14:45:09 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | grep dovecot
dovecot-2.3.11.3-1.mga7
dovecot-pigeonhole-2.3.11.3-1.mga7
$ systemctl status dovecot.service dovecot.socket 
● dovecot.service - Dovecot IMAP/POP3 email server
   Loaded: loaded (/usr/lib/systemd/system/dovecot.service; disabled; vendor preset: disabled)
   Active: active (running) since Fri 2020-08-14 10:38:51 WEST; 5h 3min ago
     Docs: man:dovecot(1)
           http://wiki2.dovecot.org/
 Main PID: 10021 (dovecot)
    Tasks: 6 (limit: 4697)
   Memory: 7.4M
   CGroup: /system.slice/dovecot.service
           ├─10021 /usr/sbin/dovecot -F
           ├─10023 dovecot/anvil
           ├─10024 dovecot/log
           ├─10026 dovecot/config
           ├─10027 dovecot/stats
           └─10029 dovecot/auth

ago 14 10:38:51 marte systemd[1]: Started Dovecot IMAP/POP3 email server.
ago 14 10:38:51 marte dovecot[10021]: master: Dovecot v2.3.11.3 (502c39af9) starting up for imap
ago 14 10:38:51 marte dovecot[10024]: imap-login: Login: user=<pclx>, method=PLAIN, rip=fd00:0:1:1::1, lip=fd00:0:1:1::1, mpid=10037, TLS, session=<IJ9MMNOs8Ln9AAAAAAEAAQAAAAAAAAAB>
ago 14 10:41:28 marte dovecot[10024]: imap(pclx)<10037><IJ9MMNOs8Ln9AAAAAAEAAQAAAAAAAAAB>: Logged out in=161 out=19195 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0

● dovecot.socket - Dovecot IMAP/POP3 email server activation socket
   Loaded: loaded (/usr/local/lib/systemd/system/dovecot.socket; enabled; vendor preset: disabled)
   Active: active (running) since Fri 2020-08-14 08:58:37 WEST; 6h ago
   Listen: 10.0.0.1:143 (Stream)
           10.0.0.1:993 (Stream)
           [fd00:0:1:1::1]:143 (Stream)
           [fd00:0:1:1::1]:993 (Stream)
    Tasks: 0 (limit: 4697)
   Memory: 164.0K
   CGroup: /system.slice/dovecot.socket

ago 14 08:58:37 marte systemd[1]: Listening on Dovecot IMAP/POP3 email server activation socket.

CC: (none) => mageia

Advisory and package list in Comment 1.

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0330.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED