Debian Bug report logs -
#979363
dovecot: CVE-2020-24386 CVE-2020-25275
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Tue, 5 Jan 2021 20:03:04 UTC
Severity: grave
Tags: security, upstream
Found in versions dovecot/1:2.3.4.1-5+deb10u4, dovecot/1:2.3.11.3+dfsg1-2, dovecot/1:2.2.27-3+deb9u6
Fixed in versions dovecot/1:2.3.4.1-5+deb10u5, dovecot/1:2.2.27-3+deb9u7
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Dovecot Maintainers <dovecot@packages.debian.org>
:
Bug#979363
; Package src:dovecot
.
(Tue, 05 Jan 2021 20:03:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Dovecot Maintainers <dovecot@packages.debian.org>
.
(Tue, 05 Jan 2021 20:03:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: dovecot
Version: 1:2.3.11.3+dfsg1-2
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Control: found -1 1:2.3.4.1-5+deb10u4
Control: fixed -1 1:2.3.4.1-5+deb10u5
Control: found -1 1:2.2.27-3+deb9u6
Control: fixed -1 1:2.2.27-3+deb9u7
Hi,
The following vulnerabilities were published for dovecot.
CVE-2020-24386[0]:
| An issue was discovered in Dovecot before 2.3.13. By using IMAP IDLE,
| an authenticated attacker can trigger unhibernation via attacker-
| controlled parameters, leading to access to other users' email
| messages (and path disclosure).
CVE-2020-25275[1]:
| Dovecot before 2.3.13 has Improper Input Validation in lda, lmtp, and
| imap, leading to an application crash via a crafted email message with
| certain choices for ten thousand MIME parts.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2020-24386
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24386
[1] https://security-tracker.debian.org/tracker/CVE-2020-25275
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25275
Regards,
Salvatore
Marked as found in versions dovecot/1:2.3.4.1-5+deb10u4.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org
.
(Tue, 05 Jan 2021 20:03:06 GMT) (full text, mbox, link).
Marked as fixed in versions dovecot/1:2.3.4.1-5+deb10u5.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org
.
(Tue, 05 Jan 2021 20:03:06 GMT) (full text, mbox, link).
Marked as found in versions dovecot/1:2.2.27-3+deb9u6.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org
.
(Tue, 05 Jan 2021 20:03:07 GMT) (full text, mbox, link).
Marked as fixed in versions dovecot/1:2.2.27-3+deb9u7.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org
.
(Tue, 05 Jan 2021 20:03:07 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sat Jan 9 12:35:42 2021;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.