Upstream have released version 2.3.21.1 to fix these issues. https://dovecot.org/mailman3/hyperkitty/list/dovecot-news@dovecot.org/thread/2CSVL56LFPAXVLWMGXEIWZL736PSYHP5/
Advisory ======== Dovecot has been updated to fix two security issues. - CVE-2024-23184: A large number of address headers in email resulted in excessive CPU usage. - CVE-2024-23185: Abnormally large email headers are now truncated or discarded, with a limit of 10MB on a single header and 50MB for all the headers of all the parts of an email. References ========== https://dovecot.org/mailman3/hyperkitty/list/dovecot-news@dovecot.org/thread/2CSVL56LFPAXVLWMGXEIWZL736PSYHP5/ Files ===== dovecot-plugins-sqlite-2.3.21.1-1.mga9 dovecot-plugins-pgsql-2.3.21.1-1.mga9 dovecot-plugins-gssapi-2.3.21.1-1.mga9 dovecot-plugins-mysql-2.3.21.1-1.mga9 dovecot-plugins-ldap-2.3.21.1-1.mga9 dovecot-pigeonhole-devel-2.3.21.1-1.mga9 dovecot-devel-2.3.21.1-1.mga9 dovecot-pigeonhole-2.3.21.1-1.mga9 dovecot-2.3.21.1-1.mga9 from dovecot-2.3.21.1-1.mga9.src.rpm
CVE: (none) => CVE-2024-23184, CVE-2024-23185
Assignee: smelror => qa-bugs
No references to wiki or buglist of previous updates shown. Rather essential to me.
CC: (none) => herman.viaene
MGA9-64 Plasma Wayland on HP-Pavillion. No installation issues. Ref bug 13355 for testing # systemctl start dovecot # systemctl -l status dovecot ● dovecot.service - Dovecot IMAP/POP3 email server Loaded: loaded (/usr/lib/systemd/system/dovecot.service; disabled; preset: disabled) Active: active (running) since Thu 2024-08-15 13:43:03 CEST; 24s ago Docs: man:dovecot(1) https://doc.dovecot.org/ Main PID: 53181 (dovecot) Status: "v2.3.21.1 (d492236fa0) running" Tasks: 4 (limit: 4473) Memory: 3.6M CPU: 159ms CGroup: /system.slice/dovecot.service ├─53181 /usr/sbin/dovecot -F ├─53184 dovecot/anvil ├─53185 dovecot/log └─53186 dovecot/config Aug 15 13:43:03 mach4.hviaene.thuis systemd[1]: Starting dovecot.service... Aug 15 13:43:03 mach4.hviaene.thuis dovecot[53181]: master: Dovecot v2.3.21.1 (d492236fa0) starting up for im> Aug 15 13:43:03 mach4.hviaene.thuis systemd[1]: Started dovecot.service. Then, after opeing ports 143 and 110 in firewall. $ telnet localhost 143 Trying ::1... telnet: connect to address ::1: Connection refused Trying 127.0.0.1... Connected to localhost (127.0.0.1). Escape character is '^]'. * OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ STARTTLS AUTH=PLAIN] Dovecot ready. Connection closed by foreign host. $ telnet localhost 110 Trying ::1... telnet: connect to address ::1: Connection refused Trying 127.0.0.1... Connected to localhost (127.0.0.1). Escape character is '^]'. +OK Dovecot ready. Looks good AFAICS.
Whiteboard: (none) => MGA9-64-OK
CC: (none) => mageia
Validating.
CC: (none) => andrewsfarm
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Keywords: (none) => advisorySource RPM: (none) => dovecot
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0280.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
*** Bug 33476 has been marked as a duplicate of this bug. ***