-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.3152
                          dovecot security update
                             15 September 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           dovecot
Publisher:         Red Hat
Operating System:  Red Hat Enterprise Linux Server 8
                   Red Hat Enterprise Linux WS/Desktop 8
Impact/Access:     Denial of Service -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-12674 CVE-2020-12673 CVE-2020-12100

Reference:         ESB-2020.3120
                   ESB-2020.3032
                   ESB-2020.2821

Original Bulletin: 
   https://access.redhat.com/errata/RHSA-2020:3735
   https://access.redhat.com/errata/RHSA-2020:3736

Comment: This bulletin contains two (2) Red Hat security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: dovecot security update
Advisory ID:       RHSA-2020:3735-01
Product:           Red Hat Enterprise Linux
Advisory URL:      https://access.redhat.com/errata/RHSA-2020:3735
Issue date:        2020-09-14
CVE Names:         CVE-2020-12100 CVE-2020-12673 CVE-2020-12674 
=====================================================================

1. Summary:

An update for dovecot is now available for Red Hat Enterprise Linux 8.0
Update Services for SAP Solutions.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream E4S (v. 8.0) - aarch64, ppc64le, s390x, x86_64

3. Description:

Dovecot is an IMAP server for Linux and other UNIX-like systems, written
primarily with security in mind. It also contains a small POP3 server, and
supports e-mail in either the maildir or mbox format. The SQL drivers and
authentication plug-ins are provided as subpackages. 

Security Fix(es):

* dovecot: Resource exhaustion via deeply nested MIME parts
(CVE-2020-12100)

* dovecot: Out of bound reads in dovecot NTLM implementation
(CVE-2020-12673)

* dovecot: Crash due to assert in RPA implementation (CVE-2020-12674)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1866309 - CVE-2020-12100 dovecot: Resource exhaustion via deeply nested MIME parts
1866313 - CVE-2020-12673 dovecot: Out of bound reads in dovecot NTLM implementation
1866317 - CVE-2020-12674 dovecot: Crash due to assert in RPA implementation

6. Package List:

Red Hat Enterprise Linux AppStream E4S (v. 8.0):

Source:
dovecot-2.2.36-5.el8_0.3.src.rpm

aarch64:
dovecot-2.2.36-5.el8_0.3.aarch64.rpm
dovecot-debuginfo-2.2.36-5.el8_0.3.aarch64.rpm
dovecot-debugsource-2.2.36-5.el8_0.3.aarch64.rpm
dovecot-mysql-2.2.36-5.el8_0.3.aarch64.rpm
dovecot-mysql-debuginfo-2.2.36-5.el8_0.3.aarch64.rpm
dovecot-pgsql-2.2.36-5.el8_0.3.aarch64.rpm
dovecot-pgsql-debuginfo-2.2.36-5.el8_0.3.aarch64.rpm
dovecot-pigeonhole-debuginfo-2.2.36-5.el8_0.3.aarch64.rpm

ppc64le:
dovecot-2.2.36-5.el8_0.3.ppc64le.rpm
dovecot-debuginfo-2.2.36-5.el8_0.3.ppc64le.rpm
dovecot-debugsource-2.2.36-5.el8_0.3.ppc64le.rpm
dovecot-mysql-2.2.36-5.el8_0.3.ppc64le.rpm
dovecot-mysql-debuginfo-2.2.36-5.el8_0.3.ppc64le.rpm
dovecot-pgsql-2.2.36-5.el8_0.3.ppc64le.rpm
dovecot-pgsql-debuginfo-2.2.36-5.el8_0.3.ppc64le.rpm
dovecot-pigeonhole-debuginfo-2.2.36-5.el8_0.3.ppc64le.rpm

s390x:
dovecot-2.2.36-5.el8_0.3.s390x.rpm
dovecot-debuginfo-2.2.36-5.el8_0.3.s390x.rpm
dovecot-debugsource-2.2.36-5.el8_0.3.s390x.rpm
dovecot-mysql-2.2.36-5.el8_0.3.s390x.rpm
dovecot-mysql-debuginfo-2.2.36-5.el8_0.3.s390x.rpm
dovecot-pgsql-2.2.36-5.el8_0.3.s390x.rpm
dovecot-pgsql-debuginfo-2.2.36-5.el8_0.3.s390x.rpm
dovecot-pigeonhole-debuginfo-2.2.36-5.el8_0.3.s390x.rpm

x86_64:
dovecot-2.2.36-5.el8_0.3.x86_64.rpm
dovecot-debuginfo-2.2.36-5.el8_0.3.x86_64.rpm
dovecot-debugsource-2.2.36-5.el8_0.3.x86_64.rpm
dovecot-mysql-2.2.36-5.el8_0.3.x86_64.rpm
dovecot-mysql-debuginfo-2.2.36-5.el8_0.3.x86_64.rpm
dovecot-pgsql-2.2.36-5.el8_0.3.x86_64.rpm
dovecot-pgsql-debuginfo-2.2.36-5.el8_0.3.x86_64.rpm
dovecot-pigeonhole-debuginfo-2.2.36-5.el8_0.3.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2020-12100
https://access.redhat.com/security/cve/CVE-2020-12673
https://access.redhat.com/security/cve/CVE-2020-12674
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2020 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBX19lZtzjgjWX9erEAQij2xAAmpqGFb5CfdWt0n3ophSPsAuij6RZ/wPa
QJ/GSliN+T4jITRbPI5lyNsqvt9KY2ZirCNvaWvDODC+jp5oCkz920NEjU769v7F
/UlMS059FW3IBjnkfLkhUg6Iz2O4YksD7WHnS17ANUEbY/r/F/9/eCdFD5v9dIdR
bnIaNFQKpMvNd8J64ore79NGxJi1THSWuf1kBIu4AG3s/M11wB6YskXYY8j1JlY6
5EBXywpZhOp+bmdGCV9dBdUCgwe0fOd6Wz8/kUKKfPEqnOO/0G8KRdBzcv/O6WOW
he9nMcGE4rydrB10+pE0biBG802lpVwl8bkUN0FMNvIaq2qLddpbHB49FxfSdhtW
peq8l5ze+ka/WkKgfwYXlXCPmZUrXqJ/Qgfr5Pj1ykZfGBj9pwBH8iycub3Rh3Yd
3NP0I+ezrzMMV0tuiqMmsmnYrDdGONmuBqjPs9YFOWNONRY1vRNRDcrNNC5eB2NO
cjVgG0Ze3KrbAimyTViRouDCvK6STvWNSZzLhoM22P5EVTYjYfiTUOkSXeVOOMHx
rFGxgjXhTBfSmGmVbf5LJByODMK54OS9qGZDJ/CIhyK4Uce50/bpEtElqPi0Yo/p
UmZJr1n0nfMa4jeoB38Xd3+z7wABSNm0wEyjKHo/68n7NfnCg/m5F5+F8Kd2GGUL
eaA2rOH5l9o=
=ipgu
- -----END PGP SIGNATURE-----------------------

- ---------------------------------------------------------------------------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: dovecot security update
Advisory ID:       RHSA-2020:3736-01
Product:           Red Hat Enterprise Linux
Advisory URL:      https://access.redhat.com/errata/RHSA-2020:3736
Issue date:        2020-09-14
CVE Names:         CVE-2020-12100 CVE-2020-12673 CVE-2020-12674 
=====================================================================

1. Summary:

An update for dovecot is now available for Red Hat Enterprise Linux 8.1
Extended Update Support.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat CodeReady Linux Builder EUS (v. 8.1) - aarch64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux AppStream EUS (v. 8.1) - aarch64, ppc64le, s390x, x86_64

3. Description:

Dovecot is an IMAP server for Linux and other UNIX-like systems, written
primarily with security in mind. It also contains a small POP3 server, and
supports e-mail in either the maildir or mbox format. The SQL drivers and
authentication plug-ins are provided as subpackages. 

Security Fix(es):

* dovecot: Resource exhaustion via deeply nested MIME parts
(CVE-2020-12100)

* dovecot: Out of bound reads in dovecot NTLM implementation
(CVE-2020-12673)

* dovecot: Crash due to assert in RPA implementation (CVE-2020-12674)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1866309 - CVE-2020-12100 dovecot: Resource exhaustion via deeply nested MIME parts
1866313 - CVE-2020-12673 dovecot: Out of bound reads in dovecot NTLM implementation
1866317 - CVE-2020-12674 dovecot: Crash due to assert in RPA implementation

6. Package List:

Red Hat Enterprise Linux AppStream EUS (v. 8.1):

Source:
dovecot-2.2.36-10.el8_1.2.src.rpm

aarch64:
dovecot-2.2.36-10.el8_1.2.aarch64.rpm
dovecot-debuginfo-2.2.36-10.el8_1.2.aarch64.rpm
dovecot-debugsource-2.2.36-10.el8_1.2.aarch64.rpm
dovecot-mysql-2.2.36-10.el8_1.2.aarch64.rpm
dovecot-mysql-debuginfo-2.2.36-10.el8_1.2.aarch64.rpm
dovecot-pgsql-2.2.36-10.el8_1.2.aarch64.rpm
dovecot-pgsql-debuginfo-2.2.36-10.el8_1.2.aarch64.rpm
dovecot-pigeonhole-2.2.36-10.el8_1.2.aarch64.rpm
dovecot-pigeonhole-debuginfo-2.2.36-10.el8_1.2.aarch64.rpm

ppc64le:
dovecot-2.2.36-10.el8_1.2.ppc64le.rpm
dovecot-debuginfo-2.2.36-10.el8_1.2.ppc64le.rpm
dovecot-debugsource-2.2.36-10.el8_1.2.ppc64le.rpm
dovecot-mysql-2.2.36-10.el8_1.2.ppc64le.rpm
dovecot-mysql-debuginfo-2.2.36-10.el8_1.2.ppc64le.rpm
dovecot-pgsql-2.2.36-10.el8_1.2.ppc64le.rpm
dovecot-pgsql-debuginfo-2.2.36-10.el8_1.2.ppc64le.rpm
dovecot-pigeonhole-2.2.36-10.el8_1.2.ppc64le.rpm
dovecot-pigeonhole-debuginfo-2.2.36-10.el8_1.2.ppc64le.rpm

s390x:
dovecot-2.2.36-10.el8_1.2.s390x.rpm
dovecot-debuginfo-2.2.36-10.el8_1.2.s390x.rpm
dovecot-debugsource-2.2.36-10.el8_1.2.s390x.rpm
dovecot-mysql-2.2.36-10.el8_1.2.s390x.rpm
dovecot-mysql-debuginfo-2.2.36-10.el8_1.2.s390x.rpm
dovecot-pgsql-2.2.36-10.el8_1.2.s390x.rpm
dovecot-pgsql-debuginfo-2.2.36-10.el8_1.2.s390x.rpm
dovecot-pigeonhole-2.2.36-10.el8_1.2.s390x.rpm
dovecot-pigeonhole-debuginfo-2.2.36-10.el8_1.2.s390x.rpm

x86_64:
dovecot-2.2.36-10.el8_1.2.x86_64.rpm
dovecot-debuginfo-2.2.36-10.el8_1.2.x86_64.rpm
dovecot-debugsource-2.2.36-10.el8_1.2.x86_64.rpm
dovecot-mysql-2.2.36-10.el8_1.2.x86_64.rpm
dovecot-mysql-debuginfo-2.2.36-10.el8_1.2.x86_64.rpm
dovecot-pgsql-2.2.36-10.el8_1.2.x86_64.rpm
dovecot-pgsql-debuginfo-2.2.36-10.el8_1.2.x86_64.rpm
dovecot-pigeonhole-2.2.36-10.el8_1.2.x86_64.rpm
dovecot-pigeonhole-debuginfo-2.2.36-10.el8_1.2.x86_64.rpm

Red Hat CodeReady Linux Builder EUS (v. 8.1):

aarch64:
dovecot-debuginfo-2.2.36-10.el8_1.2.aarch64.rpm
dovecot-debugsource-2.2.36-10.el8_1.2.aarch64.rpm
dovecot-devel-2.2.36-10.el8_1.2.aarch64.rpm
dovecot-mysql-debuginfo-2.2.36-10.el8_1.2.aarch64.rpm
dovecot-pgsql-debuginfo-2.2.36-10.el8_1.2.aarch64.rpm
dovecot-pigeonhole-debuginfo-2.2.36-10.el8_1.2.aarch64.rpm

ppc64le:
dovecot-debuginfo-2.2.36-10.el8_1.2.ppc64le.rpm
dovecot-debugsource-2.2.36-10.el8_1.2.ppc64le.rpm
dovecot-devel-2.2.36-10.el8_1.2.ppc64le.rpm
dovecot-mysql-debuginfo-2.2.36-10.el8_1.2.ppc64le.rpm
dovecot-pgsql-debuginfo-2.2.36-10.el8_1.2.ppc64le.rpm
dovecot-pigeonhole-debuginfo-2.2.36-10.el8_1.2.ppc64le.rpm

s390x:
dovecot-debuginfo-2.2.36-10.el8_1.2.s390x.rpm
dovecot-debugsource-2.2.36-10.el8_1.2.s390x.rpm
dovecot-devel-2.2.36-10.el8_1.2.s390x.rpm
dovecot-mysql-debuginfo-2.2.36-10.el8_1.2.s390x.rpm
dovecot-pgsql-debuginfo-2.2.36-10.el8_1.2.s390x.rpm
dovecot-pigeonhole-debuginfo-2.2.36-10.el8_1.2.s390x.rpm

x86_64:
dovecot-2.2.36-10.el8_1.2.i686.rpm
dovecot-debuginfo-2.2.36-10.el8_1.2.i686.rpm
dovecot-debuginfo-2.2.36-10.el8_1.2.x86_64.rpm
dovecot-debugsource-2.2.36-10.el8_1.2.i686.rpm
dovecot-debugsource-2.2.36-10.el8_1.2.x86_64.rpm
dovecot-devel-2.2.36-10.el8_1.2.i686.rpm
dovecot-devel-2.2.36-10.el8_1.2.x86_64.rpm
dovecot-mysql-debuginfo-2.2.36-10.el8_1.2.i686.rpm
dovecot-mysql-debuginfo-2.2.36-10.el8_1.2.x86_64.rpm
dovecot-pgsql-debuginfo-2.2.36-10.el8_1.2.i686.rpm
dovecot-pgsql-debuginfo-2.2.36-10.el8_1.2.x86_64.rpm
dovecot-pigeonhole-debuginfo-2.2.36-10.el8_1.2.i686.rpm
dovecot-pigeonhole-debuginfo-2.2.36-10.el8_1.2.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2020-12100
https://access.redhat.com/security/cve/CVE-2020-12673
https://access.redhat.com/security/cve/CVE-2020-12674
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2020 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBX19mVtzjgjWX9erEAQiWVQ/9GfaUcoIuwW9qiOnU3WvzEthaCvR8tIuh
xqAVA+Z80s8shDOMnFrtlFi+A0pqYxddpa3HQY4r04Gtqkn1F752Dothq0eXFaYD
xmOIThpiHiSetwQA5jCsqwLNz+90AL79A4VdocweDJHKC0DDgPkioLtrwe9qBetb
KZObH3+rXNn3AIb7qfU9NWZ+nYFUbXYYMcZuKphhNuJeOJH678kWeD3bv5xIRjoM
5n8+kvptghRmBeZGVDPZBDdeXGJClJFoLgSNFU5tvHkklqkO+WwsOOUUJvpNJSBc
fXdTLOpQj7GH80VyS0dn51XtEzFFqmRIpTnm4sL6Szcuor6PhzdHLdZlUXZG0FkV
7nqPL7kxqwA7kNt0TQ0ZsaQo8LEWrg1SYqqRAyyz6nUcMsjxuwH+GY/xIFkD2oZ8
dwR8uYlfG32EPDKN4kE6EGaJwHtWYhgmociSQxbBWYY0nfOBXsnAa8oAuK3L1KTl
l7LKVDvk0UIiuOC89h1J9MiOThzUePs/9MLjV2b7RYku/wfJt3p3OT6Y/OeKp825
o/WnC1aYPibXNNe42QLP7+7rnxrIYjAbgjI4Nu6vRtuOyeHROwDyH+ROdPdjV7kn
H9XXNCgA8HuFu24ktf3xbdxJVURlHkmdlaEbBIZt2cII/nW0hf8ow+BIeg4dnTCE
mk06nJwoznc=
=JfEb
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBX2ALX+NLKJtyKPYoAQh/ZQ//RxwTneySiuAM2oGA/t/0bK1QLJfSAnfc
c0+kVLdqK7Gsc3lZ0AS+Hopabh1EB6S9l+Wpzrh8FbY55PQol/6PqNK0ITKWyvSR
Qe1cr9aNcp91xS/TdIc5RyajgcfrEIQDPLMTnE7uE7+S95sO35RSAPmmIsCvLlRl
+iYnLmceoeG3ZabsyD4+u0keXd8TGrOX9LossztwMez8sqMncUffTSxtfEjSq0yO
KHdem+ndu5WED6Y9MNHtxZ7xczLaK8RTqGFaer9Pdpq6O6KHebwis7uonJy3bHnK
YpHJg6wKOZnKueYxiQ8zaWtNsPqBN4NfGDSRb8ZK+zxuAUWXzr1C4DF7LUfVk2/+
4iauN1fubZwW59ycYo/V5xZxTE9bHayt6auuee5MITam9HwApN1dWI43fbP1YgTL
TIrDPEkpfLWdb+ddAWF7uN9HuHJ5DuVRZqXU+ylWyUu38FNW85tVlwPHROAqnrTN
Nh5hBVCxbomdsMj5sdNLXYGVDM68IcXm1bGlzU3OwlerhZP8jDN+srGd6icy6UZw
GUZh2YAbzkB8B1bh90Boh1T0+44B3eqj+vwWhcOeYK5LEe6ucIqtymseXDAjlR+q
kXuCWU4b7pzhSCvhfYFv5AXaJt/PgfgWHFE9Wwp+mIW68UJP5x4iqjitkZQ11waZ
T4VTA9ik5wM=
=ZwCx
-----END PGP SIGNATURE-----