Several vulnerabilities have been discovered in the Dovecot email server. CVE-2020-12100 Receiving mail with deeply nested MIME parts leads to resource exhaustion as Dovecot attempts to parse it. CVE-2020-12673 Dovecot's NTLM implementation does not correctly check message buffer size, which leads to a crash when reading past allocation. CVE-2020-12674 Dovecot's RPA mechanism implementation accepts zero-length message, which leads to assert-crash later on. For the stable distribution (buster), these problems have been fixed in version 1:2.3.4.1-5+deb10u3. We recommend that you upgrade your dovecot packages. For the detailed security status of dovecot please refer to its security tracker page at: https://security-tracker.debian.org/tracker/dovecot
Several vulnerabilities have been discovered in the Dovecot email server.
Receiving mail with deeply nested MIME parts leads to resource exhaustion as Dovecot attempts to parse it.
Dovecot's NTLM implementation does not correctly check message buffer size, which leads to a crash when reading past allocation.
Dovecot's RPA mechanism implementation accepts zero-length message, which leads to assert-crash later on.
For the stable distribution (buster), these problems have been fixed in version 1:2.3.4.1-5+deb10u3.
We recommend that you upgrade your dovecot packages.
For the detailed security status of dovecot please refer to its security tracker page at: https://security-tracker.debian.org/tracker/dovecot