Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

suse-cvrf логотип

SUSE-SU-2021:0028-1

Опубликовано: 05 янв. 2021
Источник: suse-cvrf

Описание

Security update for dovecot23

This update for dovecot23 fixes the following issues:

Security issues fixed:

  • CVE-2020-12100: Fixed a resource exhaustion caused by deeply nested MIME parts (bsc#1174920).
  • CVE-2020-12673: Fixed an improper implementation of NTLM that did not check the message buffer size (bsc#1174922).
  • CVE-2020-12674: Fixed an improper implementation of the RPA mechanism (bsc#1174923).
  • CVE-2020-24386: Fixed an issue with IMAP hibernation that allowed users to access other users' emails (bsc#1180405).
  • CVE-2020-25275: Fixed a crash when the 10000th MIME part was message/rfc822 (bsc#1180406).

Non-security issues fixed:

  • Pigeonhole was updated to version 0.5.11.
  • Dovecot was updated to version 2.3.11.3.

Список пакетов

SUSE Linux Enterprise Module for Server Applications 15 SP2
dovecot23-2.3.11.3-17.5.1
dovecot23-backend-mysql-2.3.11.3-17.5.1
dovecot23-backend-pgsql-2.3.11.3-17.5.1
dovecot23-backend-sqlite-2.3.11.3-17.5.1
dovecot23-devel-2.3.11.3-17.5.1
dovecot23-fts-2.3.11.3-17.5.1
dovecot23-fts-lucene-2.3.11.3-17.5.1
dovecot23-fts-solr-2.3.11.3-17.5.1
dovecot23-fts-squat-2.3.11.3-17.5.1

Ссылки

Описание

In Dovecot before 2.3.11.3, uncontrolled recursion in submission, lmtp, and lda allows remote attackers to cause a denial of service (resource consumption) via a crafted e-mail message with deeply nested MIME parts.

Затронутые продукты
SUSE Linux Enterprise Module for Server Applications 15 SP2:dovecot23-2.3.11.3-17.5.1
SUSE Linux Enterprise Module for Server Applications 15 SP2:dovecot23-backend-mysql-2.3.11.3-17.5.1
SUSE Linux Enterprise Module for Server Applications 15 SP2:dovecot23-backend-pgsql-2.3.11.3-17.5.1
SUSE Linux Enterprise Module for Server Applications 15 SP2:dovecot23-backend-sqlite-2.3.11.3-17.5.1
Ссылки

Описание

In Dovecot before 2.3.11.3, sending a specially formatted NTLM request will crash the auth service because of an out-of-bounds read.

Затронутые продукты
SUSE Linux Enterprise Module for Server Applications 15 SP2:dovecot23-2.3.11.3-17.5.1
SUSE Linux Enterprise Module for Server Applications 15 SP2:dovecot23-backend-mysql-2.3.11.3-17.5.1
SUSE Linux Enterprise Module for Server Applications 15 SP2:dovecot23-backend-pgsql-2.3.11.3-17.5.1
SUSE Linux Enterprise Module for Server Applications 15 SP2:dovecot23-backend-sqlite-2.3.11.3-17.5.1
Ссылки

Описание

In Dovecot before 2.3.11.3, sending a specially formatted RPA request will crash the auth service because a length of zero is mishandled.

Затронутые продукты
SUSE Linux Enterprise Module for Server Applications 15 SP2:dovecot23-2.3.11.3-17.5.1
SUSE Linux Enterprise Module for Server Applications 15 SP2:dovecot23-backend-mysql-2.3.11.3-17.5.1
SUSE Linux Enterprise Module for Server Applications 15 SP2:dovecot23-backend-pgsql-2.3.11.3-17.5.1
SUSE Linux Enterprise Module for Server Applications 15 SP2:dovecot23-backend-sqlite-2.3.11.3-17.5.1
Ссылки

Описание

An issue was discovered in Dovecot before 2.3.13. By using IMAP IDLE, an authenticated attacker can trigger unhibernation via attacker-controlled parameters, leading to access to other users' email messages (and path disclosure).

Затронутые продукты
SUSE Linux Enterprise Module for Server Applications 15 SP2:dovecot23-2.3.11.3-17.5.1
SUSE Linux Enterprise Module for Server Applications 15 SP2:dovecot23-backend-mysql-2.3.11.3-17.5.1
SUSE Linux Enterprise Module for Server Applications 15 SP2:dovecot23-backend-pgsql-2.3.11.3-17.5.1
SUSE Linux Enterprise Module for Server Applications 15 SP2:dovecot23-backend-sqlite-2.3.11.3-17.5.1
Ссылки

Описание

Dovecot before 2.3.13 has Improper Input Validation in lda, lmtp, and imap, leading to an application crash via a crafted email message with certain choices for ten thousand MIME parts.

Затронутые продукты
SUSE Linux Enterprise Module for Server Applications 15 SP2:dovecot23-2.3.11.3-17.5.1
SUSE Linux Enterprise Module for Server Applications 15 SP2:dovecot23-backend-mysql-2.3.11.3-17.5.1
SUSE Linux Enterprise Module for Server Applications 15 SP2:dovecot23-backend-pgsql-2.3.11.3-17.5.1
SUSE Linux Enterprise Module for Server Applications 15 SP2:dovecot23-backend-sqlite-2.3.11.3-17.5.1
Ссылки