28012 – dovecot new security issues CVE-2020-24386 and CVE-2020-25275

Bug 28012 - dovecot new security issues CVE-2020-24386 and CVE-2020-25275

Summary: dovecot new security issues CVE-2020-24386 and CVE-2020-25275

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	7
Hardware:	All Linux

Priority:	Normal Severity: major
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA7-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2021-01-04 16:41 CET by David Walser
Modified:	2021-01-08 15:00 CET (History)
CC List:	5 users (show)

See Also:
Source RPM:	dovecot-2.3.11.3-1.mga7.src.rpm
CVE:	CVE-2020-24386, CVE-2020-25275
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2021-01-04 16:41:03 CET

Dovecot has issued advisories today (January 4):
https://dovecot.org/pipermail/dovecot-news/2021-January/000450.html
https://dovecot.org/pipermail/dovecot-news/2021-January/000451.html

The issues are fixed upstream in 2.3.13:
https://dovecot.org/pipermail/dovecot-news/2021-January/000448.html

David Walser 2021-01-04 16:41:22 CET

Status comment: (none) => Fixed upstream in 2.3.13

Comment 1 David Walser 2021-01-04 17:16:09 CET

Ubuntu has issued an advisory for this today (January 4):
https://ubuntu.com/security/notices/USN-4674-1

Comment 2 David Walser 2021-01-04 23:31:03 CET

Updated package uploaded by Stig-Ørjan.

Advisory:
========================

Updated dovecot packages fixes security vulnerabilities:

It was discovered that Dovecot incorrectly handled certain imap hibernation
commands. A remote authenticated attacker could possibly use this issue to
access other users’ email (CVE-2020-24386).

Innokentii Sennovskiy discovered that Dovecot incorrectly handled MIME
parsing. A remote attacker could possibly use this issue to cause Dovecot
to crash, resulting in a denial of service (CVE-2020-25275).

The dovecot package has been updated to version 2.3.13, fixing these issues
and other bugs.  See the upstream release announcement for details.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24386
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25275
https://dovecot.org/pipermail/dovecot-news/2021-January/000450.html
https://dovecot.org/pipermail/dovecot-news/2021-January/000451.html
https://dovecot.org/pipermail/dovecot-news/2021-January/000448.html
https://ubuntu.com/security/notices/USN-4674-1
========================

Updated packages in core/updates_testing:
========================
dovecot-2.3.13-1.mga7
dovecot-pigeonhole-2.3.13-1.mga7
dovecot-pigeonhole-devel-2.3.13-1.mga7
dovecot-plugins-pgsql-2.3.13-1.mga7
dovecot-plugins-mysql-2.3.13-1.mga7
dovecot-plugins-ldap-2.3.13-1.mga7
dovecot-plugins-gssapi-2.3.13-1.mga7
dovecot-plugins-sqlite-2.3.13-1.mga7
dovecot-devel-2.3.13-1.mga7

from dovecot-2.3.13-1.mga7.src.rpm

Status comment: Fixed upstream in 2.3.13 => (none)
CC: (none) => smelror
Assignee: smelror => qa-bugs

Comment 3 PC LX 2021-01-05 03:01:43 CET

Installed and tested without issues.


Tested with several accounts with multiple GiB of emails. Tested with kmail, trojita, roundcubemail and k9 (Android) clients.


System: Mageia 7, x86_64, Plasma DE, LXQt DE, Intel CPU, nVidia GPU using nvidia-current proprietary driver.



$ uname -a
Linux marte 5.7.19-desktop-3.mga7 #1 SMP Sun Oct 18 15:46:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | grep dovecot
dovecot-pigeonhole-2.3.13-1.mga7
dovecot-2.3.13-1.mga7
$ systemctl status dovecot.service dovecot.socket
● dovecot.service - Dovecot IMAP/POP3 email server
   Loaded: loaded (/usr/lib/systemd/system/dovecot.service; disabled; vendor preset: disabled)
   Active: active (running) since Tue 2021-01-05 01:54:56 WET; 4min 41s ago
     Docs: man:dovecot(1)
           http://wiki2.dovecot.org/
 Main PID: 24973 (dovecot)
    Tasks: 5 (limit: 4684)
   Memory: 8.9M
   CGroup: /system.slice/dovecot.service
           ├─24973 /usr/sbin/dovecot -F
           ├─24977 dovecot/anvil
           ├─24978 dovecot/log
           ├─24979 dovecot/config
           └─24992 dovecot/stats

jan 05 01:56:33 marte dovecot[24978]: imap-login: Login: user=<pclx>, method=PLAIN, rip=fd00:0:1:1::1, lip=fd00:0:1:1::1, mpid=25102, secured, session=<IfohhB24OoT9AAAAAAEAAQAAAAAAAAAB>
jan 05 01:56:33 marte dovecot[24978]: imap(pclx)<25102><IfohhB24OoT9AAAAAAEAAQAAAAAAAAAB>: Logged out in=911 out=3064 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0
<SNIP>

● dovecot.socket - Dovecot IMAP/POP3 email server activation socket
   Loaded: loaded (/usr/local/lib/systemd/system/dovecot.socket; enabled; vendor preset: disabled)
   Active: active (running) since Mon 2021-01-04 10:13:33 WET; 15h ago
   Listen: 10.0.0.1:143 (Stream)
           10.0.0.1:993 (Stream)
           [fd00:0:1:1::1]:143 (Stream)
           [fd00:0:1:1::1]:993 (Stream)
    Tasks: 0 (limit: 4684)
   Memory: 164.0K
   CGroup: /system.slice/dovecot.socket

jan 04 10:13:33 marte systemd[1]: Listening on Dovecot IMAP/POP3 email server activation socket.

Whiteboard: (none) => MGA7-64-OK
CC: (none) => mageia

Comment 4 Thomas Andrews 2021-01-07 21:52:39 CET

Validating. Advisory in Comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 5 Aurelien Oudelet 2021-01-08 11:20:07 CET

Advisory pushed to SVN.

CVE: (none) => CVE-2020-24386, CVE-2020-25275
Keywords: (none) => advisory
CC: (none) => ouaurelien

Comment 6 Mageia Robot 2021-01-08 15:00:50 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0008.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.