SUSE-SU-2021:2124-1

Опубликовано: 22 июн. 2021

Источник: suse-cvrf

Описание

Security update for dovecot23

This update for dovecot23 fixes the following issues:

CVE-2021-29157: Local attacker can login as any user and access their emails (bsc#1187418)
CVE-2021-33515: Attacker can potentially steal user credentials and mails (bsc#1187419)

Список пакетов

SUSE Enterprise Storage 6

dovecot23-2.3.11.3-24.1

dovecot23-backend-mysql-2.3.11.3-24.1

dovecot23-backend-pgsql-2.3.11.3-24.1

dovecot23-backend-sqlite-2.3.11.3-24.1

dovecot23-devel-2.3.11.3-24.1

dovecot23-fts-2.3.11.3-24.1

dovecot23-fts-lucene-2.3.11.3-24.1

dovecot23-fts-solr-2.3.11.3-24.1

dovecot23-fts-squat-2.3.11.3-24.1

SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS

dovecot23-2.3.11.3-24.1

dovecot23-backend-mysql-2.3.11.3-24.1

dovecot23-backend-pgsql-2.3.11.3-24.1

dovecot23-backend-sqlite-2.3.11.3-24.1

dovecot23-devel-2.3.11.3-24.1

dovecot23-fts-2.3.11.3-24.1

dovecot23-fts-lucene-2.3.11.3-24.1

dovecot23-fts-solr-2.3.11.3-24.1

dovecot23-fts-squat-2.3.11.3-24.1

SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS

dovecot23-2.3.11.3-24.1

dovecot23-backend-mysql-2.3.11.3-24.1

dovecot23-backend-pgsql-2.3.11.3-24.1

dovecot23-backend-sqlite-2.3.11.3-24.1

dovecot23-devel-2.3.11.3-24.1

dovecot23-fts-2.3.11.3-24.1

dovecot23-fts-lucene-2.3.11.3-24.1

dovecot23-fts-solr-2.3.11.3-24.1

dovecot23-fts-squat-2.3.11.3-24.1

SUSE Linux Enterprise Server 15 SP1-BCL

dovecot23-2.3.11.3-24.1

dovecot23-backend-mysql-2.3.11.3-24.1

dovecot23-backend-pgsql-2.3.11.3-24.1

dovecot23-backend-sqlite-2.3.11.3-24.1

dovecot23-devel-2.3.11.3-24.1

dovecot23-fts-2.3.11.3-24.1

dovecot23-fts-lucene-2.3.11.3-24.1

dovecot23-fts-solr-2.3.11.3-24.1

dovecot23-fts-squat-2.3.11.3-24.1

SUSE Linux Enterprise Server 15 SP1-LTSS

dovecot23-2.3.11.3-24.1

dovecot23-backend-mysql-2.3.11.3-24.1

dovecot23-backend-pgsql-2.3.11.3-24.1

dovecot23-backend-sqlite-2.3.11.3-24.1

dovecot23-devel-2.3.11.3-24.1

dovecot23-fts-2.3.11.3-24.1

dovecot23-fts-lucene-2.3.11.3-24.1

dovecot23-fts-solr-2.3.11.3-24.1

dovecot23-fts-squat-2.3.11.3-24.1

SUSE Linux Enterprise Server for SAP Applications 15 SP1

dovecot23-2.3.11.3-24.1

dovecot23-backend-mysql-2.3.11.3-24.1

dovecot23-backend-pgsql-2.3.11.3-24.1

dovecot23-backend-sqlite-2.3.11.3-24.1

dovecot23-devel-2.3.11.3-24.1

dovecot23-fts-2.3.11.3-24.1

dovecot23-fts-lucene-2.3.11.3-24.1

dovecot23-fts-solr-2.3.11.3-24.1

dovecot23-fts-squat-2.3.11.3-24.1

SUSE Manager Proxy 4.0

dovecot23-2.3.11.3-24.1

dovecot23-backend-mysql-2.3.11.3-24.1

dovecot23-backend-pgsql-2.3.11.3-24.1

dovecot23-backend-sqlite-2.3.11.3-24.1

dovecot23-devel-2.3.11.3-24.1

dovecot23-fts-2.3.11.3-24.1

dovecot23-fts-lucene-2.3.11.3-24.1

dovecot23-fts-solr-2.3.11.3-24.1

dovecot23-fts-squat-2.3.11.3-24.1

SUSE Manager Retail Branch Server 4.0

dovecot23-2.3.11.3-24.1

dovecot23-backend-mysql-2.3.11.3-24.1

dovecot23-backend-pgsql-2.3.11.3-24.1

dovecot23-backend-sqlite-2.3.11.3-24.1

dovecot23-devel-2.3.11.3-24.1

dovecot23-fts-2.3.11.3-24.1

dovecot23-fts-lucene-2.3.11.3-24.1

dovecot23-fts-solr-2.3.11.3-24.1

dovecot23-fts-squat-2.3.11.3-24.1

SUSE Manager Server 4.0

dovecot23-2.3.11.3-24.1

dovecot23-backend-mysql-2.3.11.3-24.1

dovecot23-backend-pgsql-2.3.11.3-24.1

dovecot23-backend-sqlite-2.3.11.3-24.1

dovecot23-devel-2.3.11.3-24.1

dovecot23-fts-2.3.11.3-24.1

dovecot23-fts-lucene-2.3.11.3-24.1

dovecot23-fts-solr-2.3.11.3-24.1

dovecot23-fts-squat-2.3.11.3-24.1

Ссылки

https://www.suse.com/support/update/announcement/2021/suse-su-20212124-1/
Link for SUSE-SU-2021:2124-1
https://lists.suse.com/pipermail/sle-updates/2021-June/019410.html
E-Mail link for SUSE-SU-2021:2124-1
https://www.suse.com/support/security/rating/
SUSE Security Ratings
https://bugzilla.suse.com/1187418
SUSE Bug 1187418
https://bugzilla.suse.com/1187419
SUSE Bug 1187419
https://www.suse.com/security/cve/CVE-2021-29157/
SUSE CVE CVE-2021-29157 page
https://www.suse.com/security/cve/CVE-2021-33515/
SUSE CVE CVE-2021-33515 page

Описание

Dovecot before 2.3.15 allows ../ Path Traversal. An attacker with access to the local filesystem can trick OAuth2 authentication into using an HS256 validation key from an attacker-controlled location. This occurs during use of local JWT validation with the posix fs driver.

Затронутые продукты

SUSE Enterprise Storage 6:dovecot23-2.3.11.3-24.1

SUSE Enterprise Storage 6:dovecot23-backend-mysql-2.3.11.3-24.1

SUSE Enterprise Storage 6:dovecot23-backend-pgsql-2.3.11.3-24.1

SUSE Enterprise Storage 6:dovecot23-backend-sqlite-2.3.11.3-24.1

Ссылки

https://www.suse.com/security/cve/CVE-2021-29157.html
CVE-2021-29157
https://bugzilla.suse.com/1187418
SUSE Bug 1187418

Описание

The submission service in Dovecot before 2.3.15 allows STARTTLS command injection in lib-smtp. Sensitive information can be redirected to an attacker-controlled address.

Затронутые продукты

SUSE Enterprise Storage 6:dovecot23-2.3.11.3-24.1

SUSE Enterprise Storage 6:dovecot23-backend-mysql-2.3.11.3-24.1

SUSE Enterprise Storage 6:dovecot23-backend-pgsql-2.3.11.3-24.1

SUSE Enterprise Storage 6:dovecot23-backend-sqlite-2.3.11.3-24.1

Ссылки

https://www.suse.com/security/cve/CVE-2021-33515.html
CVE-2021-33515
https://bugzilla.suse.com/1187419
SUSE Bug 1187419

SUSE-SU-2021:2124-1

Описание

Список пакетов

SUSE Enterprise Storage 6

SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS

SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS

SUSE Linux Enterprise Server 15 SP1-BCL

SUSE Linux Enterprise Server 15 SP1-LTSS

SUSE Linux Enterprise Server for SAP Applications 15 SP1

SUSE Manager Proxy 4.0

SUSE Manager Retail Branch Server 4.0

SUSE Manager Server 4.0

Ссылки

Уязвимость: CVE-2021-29157

Описание

Затронутые продукты

Ссылки

Уязвимость: CVE-2021-33515

Описание

Затронутые продукты

Ссылки