Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.2371 dovecot security update 14 July 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: dovecot Publisher: Red Hat Operating System: Red Hat Enterprise Linux Server 8 Red Hat Enterprise Linux WS/Desktop 8 Impact/Access: Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2020-10957 Reference: ESB-2020.2084 ESB-2020.1792 ESB-2020.1763 ESB-2020.1762 Original Bulletin: https://access.redhat.com/errata/RHSA-2020:2901 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: dovecot security update Advisory ID: RHSA-2020:2901-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2020:2901 Issue date: 2020-07-13 CVE Names: CVE-2020-10957 ===================================================================== 1. Summary: An update for dovecot is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat CodeReady Linux Builder (v. 8) - aarch64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64 3. Description: Dovecot is an IMAP server for Linux and other UNIX-like systems, written primarily with security in mind. It also contains a small POP3 server, and supports e-mail in either the maildir or mbox format. The SQL drivers and authentication plug-ins are provided as subpackages. Security Fix(es): * dovecot: malformed NOOP commands leads to DoS (CVE-2020-10957) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1834317 - CVE-2020-10957 dovecot: malformed NOOP commands leads to DoS 6. Package List: Red Hat Enterprise Linux AppStream (v. 8): Source: dovecot-2.3.8-2.el8_2.1.src.rpm aarch64: dovecot-2.3.8-2.el8_2.1.aarch64.rpm dovecot-debuginfo-2.3.8-2.el8_2.1.aarch64.rpm dovecot-debugsource-2.3.8-2.el8_2.1.aarch64.rpm dovecot-mysql-2.3.8-2.el8_2.1.aarch64.rpm dovecot-mysql-debuginfo-2.3.8-2.el8_2.1.aarch64.rpm dovecot-pgsql-2.3.8-2.el8_2.1.aarch64.rpm dovecot-pgsql-debuginfo-2.3.8-2.el8_2.1.aarch64.rpm dovecot-pigeonhole-2.3.8-2.el8_2.1.aarch64.rpm dovecot-pigeonhole-debuginfo-2.3.8-2.el8_2.1.aarch64.rpm ppc64le: dovecot-2.3.8-2.el8_2.1.ppc64le.rpm dovecot-debuginfo-2.3.8-2.el8_2.1.ppc64le.rpm dovecot-debugsource-2.3.8-2.el8_2.1.ppc64le.rpm dovecot-mysql-2.3.8-2.el8_2.1.ppc64le.rpm dovecot-mysql-debuginfo-2.3.8-2.el8_2.1.ppc64le.rpm dovecot-pgsql-2.3.8-2.el8_2.1.ppc64le.rpm dovecot-pgsql-debuginfo-2.3.8-2.el8_2.1.ppc64le.rpm dovecot-pigeonhole-2.3.8-2.el8_2.1.ppc64le.rpm dovecot-pigeonhole-debuginfo-2.3.8-2.el8_2.1.ppc64le.rpm s390x: dovecot-2.3.8-2.el8_2.1.s390x.rpm dovecot-debuginfo-2.3.8-2.el8_2.1.s390x.rpm dovecot-debugsource-2.3.8-2.el8_2.1.s390x.rpm dovecot-mysql-2.3.8-2.el8_2.1.s390x.rpm dovecot-mysql-debuginfo-2.3.8-2.el8_2.1.s390x.rpm dovecot-pgsql-2.3.8-2.el8_2.1.s390x.rpm dovecot-pgsql-debuginfo-2.3.8-2.el8_2.1.s390x.rpm dovecot-pigeonhole-2.3.8-2.el8_2.1.s390x.rpm dovecot-pigeonhole-debuginfo-2.3.8-2.el8_2.1.s390x.rpm x86_64: dovecot-2.3.8-2.el8_2.1.x86_64.rpm dovecot-debuginfo-2.3.8-2.el8_2.1.x86_64.rpm dovecot-debugsource-2.3.8-2.el8_2.1.x86_64.rpm dovecot-mysql-2.3.8-2.el8_2.1.x86_64.rpm dovecot-mysql-debuginfo-2.3.8-2.el8_2.1.x86_64.rpm dovecot-pgsql-2.3.8-2.el8_2.1.x86_64.rpm dovecot-pgsql-debuginfo-2.3.8-2.el8_2.1.x86_64.rpm dovecot-pigeonhole-2.3.8-2.el8_2.1.x86_64.rpm dovecot-pigeonhole-debuginfo-2.3.8-2.el8_2.1.x86_64.rpm Red Hat CodeReady Linux Builder (v. 8): aarch64: dovecot-debuginfo-2.3.8-2.el8_2.1.aarch64.rpm dovecot-debugsource-2.3.8-2.el8_2.1.aarch64.rpm dovecot-devel-2.3.8-2.el8_2.1.aarch64.rpm dovecot-mysql-debuginfo-2.3.8-2.el8_2.1.aarch64.rpm dovecot-pgsql-debuginfo-2.3.8-2.el8_2.1.aarch64.rpm dovecot-pigeonhole-debuginfo-2.3.8-2.el8_2.1.aarch64.rpm ppc64le: dovecot-debuginfo-2.3.8-2.el8_2.1.ppc64le.rpm dovecot-debugsource-2.3.8-2.el8_2.1.ppc64le.rpm dovecot-devel-2.3.8-2.el8_2.1.ppc64le.rpm dovecot-mysql-debuginfo-2.3.8-2.el8_2.1.ppc64le.rpm dovecot-pgsql-debuginfo-2.3.8-2.el8_2.1.ppc64le.rpm dovecot-pigeonhole-debuginfo-2.3.8-2.el8_2.1.ppc64le.rpm s390x: dovecot-debuginfo-2.3.8-2.el8_2.1.s390x.rpm dovecot-debugsource-2.3.8-2.el8_2.1.s390x.rpm dovecot-devel-2.3.8-2.el8_2.1.s390x.rpm dovecot-mysql-debuginfo-2.3.8-2.el8_2.1.s390x.rpm dovecot-pgsql-debuginfo-2.3.8-2.el8_2.1.s390x.rpm dovecot-pigeonhole-debuginfo-2.3.8-2.el8_2.1.s390x.rpm x86_64: dovecot-2.3.8-2.el8_2.1.i686.rpm dovecot-debuginfo-2.3.8-2.el8_2.1.i686.rpm dovecot-debuginfo-2.3.8-2.el8_2.1.x86_64.rpm dovecot-debugsource-2.3.8-2.el8_2.1.i686.rpm dovecot-debugsource-2.3.8-2.el8_2.1.x86_64.rpm dovecot-devel-2.3.8-2.el8_2.1.i686.rpm dovecot-devel-2.3.8-2.el8_2.1.x86_64.rpm dovecot-mysql-debuginfo-2.3.8-2.el8_2.1.i686.rpm dovecot-mysql-debuginfo-2.3.8-2.el8_2.1.x86_64.rpm dovecot-pgsql-debuginfo-2.3.8-2.el8_2.1.i686.rpm dovecot-pgsql-debuginfo-2.3.8-2.el8_2.1.x86_64.rpm dovecot-pigeonhole-debuginfo-2.3.8-2.el8_2.1.i686.rpm dovecot-pigeonhole-debuginfo-2.3.8-2.el8_2.1.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2020-10957 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXwzD4tzjgjWX9erEAQivhg//VviDY0aE5O2gCNMTCHaKOkvGFed9Aoo/ d+XbVhKQNpipHuO7Wm/VWDzxJ1SPp1Xg8J/dLyXN+0RNQI9QBqOj0lEo8mbvodfV eXqdQB/9cdUtCAY6sppVRSiJZbpdAWvihY3hfUT9RrAmPWrs3Tm+oWsVHoc4x440 j4zVMY0Ruhw0PkDbSjxF+9HDb6XqMPcXJtdloE6A0EkX1sV11imAgRxG/QHYpp/C Wbogc3JEfjgqTERgjiFWUTBtWKg2fepamu4+KWp34s7nOoEM0OPXXSKR7OWOEdZ2 SGzHwxr1f3PMllaw6Iy7TB0zHxWcabI7D5ARWmc7RpnO4r0oE1VB0ey1O/C28BPy 1cyRHbnLbdYUu7LjotGpgTgg5HkGMiQO7itPw75T1+JY9FiAWkj1xxPxtI2ojWHa CBGiQNozEk1TdxANfz25FnsfO41CT+ReZYyXDN6JhXWE9RjzDL78Q4Gxi31rllFj /cqHl8XtzHBnErisXWp2F3P+uoD6XVfNEMQaXZGt/GeniYAoZeISYjcR0ucdLnxC AbA/uyxrRd7GZCS1807Yd718TYGrt/iVXMfBonb4fkkzY7qQCZamodign/8PXMwz 5ahEH4gZaIHnftPHgNkp3RivZvvN65EodLIyYagrRRMkAewN3aiTYqD3/Dxe3D3y nt7c+0dyHVg= =fUHa - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXw04JeNLKJtyKPYoAQhYow//STTQYdlydi/esPqXRKJGN+Cs1tAI+49s 3iJGNDbjrlooIwhICUi3bKmMf+il1xeqK6kXctsI7szNHhC2r8X0FFTb5X9PS5tW MBaDuYRpmDtKw+MZ9hvWr/HDBx56eEcNMjymRLTRij+nGkJxnDNOLWSTjHUQjAL9 f8E3fjb2+4gxe43rOXi4c6RvjWgNM6+ZQ7Q+2G9/FWWl1k7GmElqfAulGPZmViIz kfQeZAvnOgQHvEjS7UnE87GJNz3DkgG8mAS078Z7BiQNhOpecL1wznhT0uV/iSeD RzgIAYd2uiJz3PD7Al0bOAgJoef/oLOcz/yXn/Q5hgdTV6URHJGAQV9mBIypPm3E i3rhlyP/1nc9daaotm8T1gurtnhnvS6t+sUODax2UJKliu/2W9hHxlVChfb0Lz/m ir+XXJXs2IcHlA3Cmy2nMJs23k6uEHw2c+BuX2QjI3nkwHVGvS6ohRIJ6IJAB/eT 1mO8py6Hh7t0x5H5ZNK64olbHhANmC+1R0bJi4luizjjRPsz0ubiZc7bgCBSYnJZ KJTDIAcctQ6Za8x0TXDrZoWM+3eCxuDNQ+tjf5V/atiBckwasp4mVJ7b10W+oDY2 7VSpNX+c14Shgh3ihNtgTV1Fkw0VwitzcjpQWg0j0oIo8WokMUwpf+Li/m48Ht9W +di/wCBq1qI= =jNJ7 -----END PGP SIGNATURE-----