Ubuntu has issued an advisory today (August 12): https://ubuntu.com/security/notices/USN-4456-1 The issues are fixed upstream in 2.3.11.3: https://dovecot.org/pipermail/dovecot-news/2020-August/000440.html Upstream advisories for the security issues: https://dovecot.org/pipermail/dovecot-news/2020-August/000441.html https://dovecot.org/pipermail/dovecot-news/2020-August/000442.html https://dovecot.org/pipermail/dovecot-news/2020-August/000443.html Pigeonhole 0.5.11 update: https://dovecot.org/pipermail/dovecot-news/2020-August/000439.html Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOO
Advisory ======== Dovecot has been updated to fix 3 critical security isses. CVE-2020-12100: Receiving mail with deeply nested MIME parts leads to resource exhaustion as Dovecot attempts to parse it. CVE-2020-12673: Dovecot's NTLM implementation does not correctly check message buffer size, which leads to reading past allocation which can lead to crash. CVE-2020-12674: Dovecot's RPA mechanism implementation accepts zero-length message, which leads to assert-crash later on. References ========== https://dovecot.org/pipermail/dovecot-news/2020-August/000441.html https://dovecot.org/pipermail/dovecot-news/2020-August/000442.html https://dovecot.org/pipermail/dovecot-news/2020-August/000443.html Files ===== Uploaded to core/updates_testing dovecot-2.3.11.3-1.mga7 dovecot-devel-2.3.11.3-1.mga7 dovecot-pigeonhole-2.3.11.3-1.mga7 dovecot-pigeonhole-devel-2.3.11.3-1.mga7 dovecot-plugins-gssapi-2.3.11.3-1.mga7 dovecot-plugins-ldap-2.3.11.3-1.mga7 dovecot-plugins-mysql-2.3.11.3-1.mga7 dovecot-plugins-pgsql-2.3.11.3-1.mga7 dovecot-plugins-sqlite-2.3.11.3-1.mga7 from dovecot-2.3.11.3-1.mga7.src.rpm
Whiteboard: MGA7TOO => (none)Version: Cauldron => 7Assignee: smelror => qa-bugs
CC: (none) => smelror
Installed and tested without issues. Tested with various accounts with several GiB of emails. Tested with kmail, roundcubemail and k9 clients. System: Mageia 7, x86_64, Plasma DE, LXQt DE, Intel CPU, nVidia GPU using nvidia340 proprietary driver. $ uname -a Linux marte 5.7.14-desktop-1.mga7 #1 SMP Fri Aug 7 14:45:09 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ rpm -qa | grep dovecot dovecot-2.3.11.3-1.mga7 dovecot-pigeonhole-2.3.11.3-1.mga7 $ systemctl status dovecot.service dovecot.socket ● dovecot.service - Dovecot IMAP/POP3 email server Loaded: loaded (/usr/lib/systemd/system/dovecot.service; disabled; vendor preset: disabled) Active: active (running) since Fri 2020-08-14 10:38:51 WEST; 5h 3min ago Docs: man:dovecot(1) http://wiki2.dovecot.org/ Main PID: 10021 (dovecot) Tasks: 6 (limit: 4697) Memory: 7.4M CGroup: /system.slice/dovecot.service ├─10021 /usr/sbin/dovecot -F ├─10023 dovecot/anvil ├─10024 dovecot/log ├─10026 dovecot/config ├─10027 dovecot/stats └─10029 dovecot/auth ago 14 10:38:51 marte systemd[1]: Started Dovecot IMAP/POP3 email server. ago 14 10:38:51 marte dovecot[10021]: master: Dovecot v2.3.11.3 (502c39af9) starting up for imap ago 14 10:38:51 marte dovecot[10024]: imap-login: Login: user=<pclx>, method=PLAIN, rip=fd00:0:1:1::1, lip=fd00:0:1:1::1, mpid=10037, TLS, session=<IJ9MMNOs8Ln9AAAAAAEAAQAAAAAAAAAB> ago 14 10:41:28 marte dovecot[10024]: imap(pclx)<10037><IJ9MMNOs8Ln9AAAAAAEAAQAAAAAAAAAB>: Logged out in=161 out=19195 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0 ● dovecot.socket - Dovecot IMAP/POP3 email server activation socket Loaded: loaded (/usr/local/lib/systemd/system/dovecot.socket; enabled; vendor preset: disabled) Active: active (running) since Fri 2020-08-14 08:58:37 WEST; 6h ago Listen: 10.0.0.1:143 (Stream) 10.0.0.1:993 (Stream) [fd00:0:1:1::1]:143 (Stream) [fd00:0:1:1::1]:993 (Stream) Tasks: 0 (limit: 4697) Memory: 164.0K CGroup: /system.slice/dovecot.socket ago 14 08:58:37 marte systemd[1]: Listening on Dovecot IMAP/POP3 email server activation socket.
CC: (none) => mageia
Whiteboard: (none) => MGA7-64-OK
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Advisory and package list in Comment 1.
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0330.html
Status: NEW => RESOLVEDResolution: (none) => FIXED