Описание
Security update for dovecot23
This update for dovecot23 to 2.3.10 fixes the following issues:
Security issues fixed:
- CVE-2020-10957: Fixed a crash caused by malformed NOOP commands (bsc#1171457).
- CVE-2020-10958: Fixed a use-after-free when receiving too many newlines (bsc#1171458).
- CVE-2020-10967: Fixed a crash in the lmtp and submission components caused by mails with empty quoted localparts (bsc#1171456).
Non-security issues fixed:
- The update to 2.3.10 fixes several bugs. Please refer to https://dovecot.org/doc/NEWS for a complete list of changes.
Список пакетов
SUSE Linux Enterprise Module for Server Applications 15 SP1
dovecot23-2.3.10-11.1
dovecot23-backend-mysql-2.3.10-11.1
dovecot23-backend-pgsql-2.3.10-11.1
dovecot23-backend-sqlite-2.3.10-11.1
dovecot23-devel-2.3.10-11.1
dovecot23-fts-2.3.10-11.1
dovecot23-fts-lucene-2.3.10-11.1
dovecot23-fts-solr-2.3.10-11.1
dovecot23-fts-squat-2.3.10-11.1
Ссылки
- Link for SUSE-SU-2020:1380-1
- E-Mail link for SUSE-SU-2020:1380-1
- SUSE Security Ratings
- SUSE Bug 1171456
- SUSE Bug 1171457
- SUSE Bug 1171458
- SUSE CVE CVE-2020-10957 page
- SUSE CVE CVE-2020-10958 page
- SUSE CVE CVE-2020-10967 page
Описание
In Dovecot before 2.3.10.1, unauthenticated sending of malformed parameters to a NOOP command causes a NULL Pointer Dereference and crash in submission-login, submission, or lmtp.
Затронутые продукты
SUSE Linux Enterprise Module for Server Applications 15 SP1:dovecot23-2.3.10-11.1
SUSE Linux Enterprise Module for Server Applications 15 SP1:dovecot23-backend-mysql-2.3.10-11.1
SUSE Linux Enterprise Module for Server Applications 15 SP1:dovecot23-backend-pgsql-2.3.10-11.1
SUSE Linux Enterprise Module for Server Applications 15 SP1:dovecot23-backend-sqlite-2.3.10-11.1
Ссылки
- CVE-2020-10957
- SUSE Bug 1171457
Описание
In Dovecot before 2.3.10.1, a crafted SMTP/LMTP message triggers an unauthenticated use-after-free bug in submission-login, submission, or lmtp, and can lead to a crash under circumstances involving many newlines after a command.
Затронутые продукты
SUSE Linux Enterprise Module for Server Applications 15 SP1:dovecot23-2.3.10-11.1
SUSE Linux Enterprise Module for Server Applications 15 SP1:dovecot23-backend-mysql-2.3.10-11.1
SUSE Linux Enterprise Module for Server Applications 15 SP1:dovecot23-backend-pgsql-2.3.10-11.1
SUSE Linux Enterprise Module for Server Applications 15 SP1:dovecot23-backend-sqlite-2.3.10-11.1
Ссылки
- CVE-2020-10958
- SUSE Bug 1171458
Описание
In Dovecot before 2.3.10.1, remote unauthenticated attackers can crash the lmtp or submission process by sending mail with an empty localpart.
Затронутые продукты
SUSE Linux Enterprise Module for Server Applications 15 SP1:dovecot23-2.3.10-11.1
SUSE Linux Enterprise Module for Server Applications 15 SP1:dovecot23-backend-mysql-2.3.10-11.1
SUSE Linux Enterprise Module for Server Applications 15 SP1:dovecot23-backend-pgsql-2.3.10-11.1
SUSE Linux Enterprise Module for Server Applications 15 SP1:dovecot23-backend-sqlite-2.3.10-11.1
Ссылки
- CVE-2020-10967
- SUSE Bug 1171456