Debian Bug report logs -
#928235
dovecot: CVE-2019-11494 CVE-2019-11499
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Tue, 30 Apr 2019 14:03:02 UTC
Severity: grave
Tags: security, upstream
Found in version dovecot/1:2.3.4.1-4
Fixed in version dovecot/1:2.3.4.1-5
Done: Apollon Oikonomopoulos <apoikos@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Dovecot Maintainers <dovecot@packages.debian.org>:
Bug#928235; Package src:dovecot.
(Tue, 30 Apr 2019 14:03:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Dovecot Maintainers <dovecot@packages.debian.org>.
(Tue, 30 Apr 2019 14:03:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: dovecot
Version: 1:2.3.4.1-4
Severity: grave
Tags: security upstream
Justification: user security hole
Hi,
The following vulnerabilities were published for dovecot.
CVE-2019-11494[0]:
| Submission-login crashes with signal 11 due to null pointer access
| when authentication is aborted by disconnecting.
CVE-2019-11499[1]:
| Submission-login crashes when authentication is started over TLS
| secured channel and invalid authentication message is sent
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-11494
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11494
https://dovecot.org/pipermail/dovecot/2019-April/115757.html
[1] https://security-tracker.debian.org/tracker/CVE-2019-11499
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11499
https://dovecot.org/pipermail/dovecot/2019-April/115758.html
Regards,
Salvatore
Reply sent
to Apollon Oikonomopoulos <apoikos@debian.org>:
You have taken responsibility.
(Tue, 30 Apr 2019 18:51:03 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Tue, 30 Apr 2019 18:51:04 GMT) (full text, mbox, link).
Message #10 received at 928235-close@bugs.debian.org (full text, mbox, reply):
Source: dovecot
Source-Version: 1:2.3.4.1-5
We believe that the bug you reported is fixed in the latest version of
dovecot, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 928235@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Apollon Oikonomopoulos <apoikos@debian.org> (supplier of updated dovecot package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 30 Apr 2019 21:26:28 EEST
Source: dovecot
Architecture: source
Version: 1:2.3.4.1-5
Distribution: unstable
Urgency: medium
Maintainer: Dovecot Maintainers <dovecot@packages.debian.org>
Changed-By: Apollon Oikonomopoulos <apoikos@debian.org>
Closes: 928235
Changes:
dovecot (1:2.3.4.1-5) unstable; urgency=medium
.
* [bd00402] Fix CVE-2019-11494 and CVE-2019-11499 (Closes: #928235)
- submission-login: fix null pointer dereference when client
disconnects during authentication (CVE-2019-11494)
- submission-login: fix assert-crash when receiving an invalid
authentication message over TLS (CVE-2019-11499)
Checksums-Sha256:
45fa97e83e60abaf567518a061fc8b30b7cca7a07af475cd7316dc8e449110a5 3590 dovecot_2.3.4.1-5.dsc
51d4699c3631ca2cb7bcae5ddb9a945b4cd927879ebc4a0c3e9fdc7f4dab425e 533900 dovecot_2.3.4.1-5.debian.tar.xz
a89ddd4ab25b58a67ee4975a8b6f9316bc656f5cabd725ab27d7317bbf372f50 9024 dovecot_2.3.4.1-5_source.buildinfo
d244ae94e316e69a1c2fb272cadd71a5c87b4dfa88edfcc511eceb1dd2252c5d 1286 dovecot_2.3.4.1.orig.tar.gz.asc
Checksums-Sha1:
5c4c28e1a5440ae449f74f5889e6d81098cd4f2f 3590 dovecot_2.3.4.1-5.dsc
d84107710a4aa1e948e6ea212c086fa0b20bf5b2 533900 dovecot_2.3.4.1-5.debian.tar.xz
1722fc76dfbf12976487ecc658d46b841a8978bd 9024 dovecot_2.3.4.1-5_source.buildinfo
cf6a7d63be252c98b0aeed62fb1e8cea558fd2a1 1286 dovecot_2.3.4.1.orig.tar.gz.asc
Files:
320c2f1e20bebdee323da34e0e00ee26 3590 mail optional dovecot_2.3.4.1-5.dsc
d0a6314f3421f98c319fc36e722beed1 533900 mail optional dovecot_2.3.4.1-5.debian.tar.xz
66fb79cb18868b42061d768953d89eff 9024 mail optional dovecot_2.3.4.1-5_source.buildinfo
8c93e4114a2edfd50e881bc0be06e82a 1286 - - dovecot_2.3.4.1.orig.tar.gz.asc
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEPgL9ZlYpWVIRC6uZ9RsYxyAkgiQFAlzIk20ACgkQ9RsYxyAk
giQydhAAsxAm+13OJqYqBGacS3AD9KeGys46uTMxRBazynuE3SyP+QqXtjtyT5z8
AyUImVKp7Xc/GpHi5qmNqTFtPeNkpHHWNy6UBIRUjFZZbU4ed3QfV+KQwNgyJqrV
/RUsvOQ/lqkwf7Umdgr77Y2lHUwNy+tlKVIa2XdzEuW8rTb76PVFFYVxn0Ao9vH0
KHB+ew2rjNKz8EmMSJWc4EfW+4OUY4b9Rkfb9f30tP29ordEXsFoD2A8Y9Y5844a
YW1v80NVyLAmD+2eQJhGgc0WWgzYCnoVXaH2MSeVswYrSz6SU3aPnrS6Jg2r+hvq
8dHU3HJftg306RFZk5GStG4jk407xE3MQxOo6wC15qZCECdNsTH+nUnmF8i2nM/R
5jOrlOEWC9ZBKMX2o5Nzby81lJmnv3UgBrcAReliidCmnM4EL48jC6zqXS91k7vB
vG2POoVQiBU7l5VBo3J4jJ2TsQ64wdzKfCWqX0epq/l+WKWdbntWdlPHyVizURYL
WK63lw3QltM3MOG/SFaLYr3BoJBz902VImG4eIpjrSpfLDPiPJgaHxUFSqZBuNzD
Qa0seWL1JoHEEmj4BzPTcWtmXcdRSOoX0IGX497WxFctlli149DHdYCkVFXjgbYg
JBy6/isrcTTWOSRxrxaHvC2w1TEoSJUi4eGhV04MMfqYFtubvoo=
=yxHS
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Dovecot Maintainers <dovecot@packages.debian.org>:
Bug#928235; Package src:dovecot.
(Mon, 06 May 2019 18:33:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Bryce Harrington <bryce.harrington@canonical.com>:
Extra info received and forwarded to list. Copy sent to Dovecot Maintainers <dovecot@packages.debian.org>.
(Mon, 06 May 2019 18:33:04 GMT) (full text, mbox, link).
Message #15 received at 928235@bugs.debian.org (full text, mbox, reply):
For CVE-2019-11494, three patches were provided by the vendor:
https://seclists.org/oss-sec/2019/q2/82
In Ubuntu we included the three patches, but in updating our merge with
Debian I notice you included only the latter two. Is this because the
first one suppresses a warning, and is considered non-critical?
Thank you,
Bryce
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 04 Jun 2019 07:27:00 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:27:30 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon