Dovecot has issued advisories today (January 4): https://dovecot.org/pipermail/dovecot-news/2021-January/000450.html https://dovecot.org/pipermail/dovecot-news/2021-January/000451.html The issues are fixed upstream in 2.3.13: https://dovecot.org/pipermail/dovecot-news/2021-January/000448.html
Status comment: (none) => Fixed upstream in 2.3.13
Ubuntu has issued an advisory for this today (January 4): https://ubuntu.com/security/notices/USN-4674-1
Updated package uploaded by Stig-Ørjan. Advisory: ======================== Updated dovecot packages fixes security vulnerabilities: It was discovered that Dovecot incorrectly handled certain imap hibernation commands. A remote authenticated attacker could possibly use this issue to access other users’ email (CVE-2020-24386). Innokentii Sennovskiy discovered that Dovecot incorrectly handled MIME parsing. A remote attacker could possibly use this issue to cause Dovecot to crash, resulting in a denial of service (CVE-2020-25275). The dovecot package has been updated to version 2.3.13, fixing these issues and other bugs. See the upstream release announcement for details. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24386 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25275 https://dovecot.org/pipermail/dovecot-news/2021-January/000450.html https://dovecot.org/pipermail/dovecot-news/2021-January/000451.html https://dovecot.org/pipermail/dovecot-news/2021-January/000448.html https://ubuntu.com/security/notices/USN-4674-1 ======================== Updated packages in core/updates_testing: ======================== dovecot-2.3.13-1.mga7 dovecot-pigeonhole-2.3.13-1.mga7 dovecot-pigeonhole-devel-2.3.13-1.mga7 dovecot-plugins-pgsql-2.3.13-1.mga7 dovecot-plugins-mysql-2.3.13-1.mga7 dovecot-plugins-ldap-2.3.13-1.mga7 dovecot-plugins-gssapi-2.3.13-1.mga7 dovecot-plugins-sqlite-2.3.13-1.mga7 dovecot-devel-2.3.13-1.mga7 from dovecot-2.3.13-1.mga7.src.rpm
Status comment: Fixed upstream in 2.3.13 => (none)CC: (none) => smelrorAssignee: smelror => qa-bugs
Installed and tested without issues. Tested with several accounts with multiple GiB of emails. Tested with kmail, trojita, roundcubemail and k9 (Android) clients. System: Mageia 7, x86_64, Plasma DE, LXQt DE, Intel CPU, nVidia GPU using nvidia-current proprietary driver. $ uname -a Linux marte 5.7.19-desktop-3.mga7 #1 SMP Sun Oct 18 15:46:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ rpm -qa | grep dovecot dovecot-pigeonhole-2.3.13-1.mga7 dovecot-2.3.13-1.mga7 $ systemctl status dovecot.service dovecot.socket ● dovecot.service - Dovecot IMAP/POP3 email server Loaded: loaded (/usr/lib/systemd/system/dovecot.service; disabled; vendor preset: disabled) Active: active (running) since Tue 2021-01-05 01:54:56 WET; 4min 41s ago Docs: man:dovecot(1) http://wiki2.dovecot.org/ Main PID: 24973 (dovecot) Tasks: 5 (limit: 4684) Memory: 8.9M CGroup: /system.slice/dovecot.service ├─24973 /usr/sbin/dovecot -F ├─24977 dovecot/anvil ├─24978 dovecot/log ├─24979 dovecot/config └─24992 dovecot/stats jan 05 01:56:33 marte dovecot[24978]: imap-login: Login: user=<pclx>, method=PLAIN, rip=fd00:0:1:1::1, lip=fd00:0:1:1::1, mpid=25102, secured, session=<IfohhB24OoT9AAAAAAEAAQAAAAAAAAAB> jan 05 01:56:33 marte dovecot[24978]: imap(pclx)<25102><IfohhB24OoT9AAAAAAEAAQAAAAAAAAAB>: Logged out in=911 out=3064 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0 <SNIP> ● dovecot.socket - Dovecot IMAP/POP3 email server activation socket Loaded: loaded (/usr/local/lib/systemd/system/dovecot.socket; enabled; vendor preset: disabled) Active: active (running) since Mon 2021-01-04 10:13:33 WET; 15h ago Listen: 10.0.0.1:143 (Stream) 10.0.0.1:993 (Stream) [fd00:0:1:1::1]:143 (Stream) [fd00:0:1:1::1]:993 (Stream) Tasks: 0 (limit: 4684) Memory: 164.0K CGroup: /system.slice/dovecot.socket jan 04 10:13:33 marte systemd[1]: Listening on Dovecot IMAP/POP3 email server activation socket.
Whiteboard: (none) => MGA7-64-OKCC: (none) => mageia
Validating. Advisory in Comment 2.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Advisory pushed to SVN.
CVE: (none) => CVE-2020-24386, CVE-2020-25275Keywords: (none) => advisoryCC: (none) => ouaurelien
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0008.html
Status: NEW => RESOLVEDResolution: (none) => FIXED