Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.0027 dovecot security update 5 January 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: dovecot Publisher: Debian Operating System: Debian GNU/Linux Impact/Access: Denial of Service -- Remote/Unauthenticated Access Confidential Data -- Existing Account Reduced Security -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2020-25275 CVE-2020-24386 Reference: ESB-2021.0026 Original Bulletin: http://www.debian.org/security/2021/dsa-4825 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-4825-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso January 04, 2021 https://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : dovecot CVE ID : CVE-2020-24386 CVE-2020-25275 Several vulnerabilities have been discovered in the Dovecot email server. CVE-2020-24386 When imap hibernation is active, an attacker (with valid credentials to access the mail server) can cause Dovecot to discover file system directory structures and access other users' emails via specially crafted commands. CVE-2020-25275 Innokentii Sennovskiy reported that the mail delivery and parsing in Dovecot can crash when the 10000th MIME part is message/rfc822 (or if the parent was multipart/digest). This flaw was introduced by earlier changes addressing CVE-2020-12100. For the stable distribution (buster), these problems have been fixed in version 1:2.3.4.1-5+deb10u5. We recommend that you upgrade your dovecot packages. For the detailed security status of dovecot please refer to its security tracker page at: https://security-tracker.debian.org/tracker/dovecot Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl/zMbxfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0Q0Fw//dflTb6COgPuEjVnojuwkgil7rw6LCtgtl2Jk1wAarmFK/Y+j0qhl+i3/ UdHrXKG9Y8FqNllyxBCS0TUZnEggXTRemzfvFcavnyD1N/ensWxc+oI48tfOE+pk JM8z9DOIMCKK86S0Cb9D4irw65FUE8+rG1X6KrS0Yw2P0farno/cg90PPwhX8bcF rtHgvUeiMVRpb64eEkrKU2eZzHhngj1ve05qpfy8wvXf5zfk1SzJcs4tmtHHsHTT TkxZdrVd863FLt6w2hGaID+whyc0Oiep9JtwyzKCwLoQLvihSs2POOBl4wYnwvFw WTiqmaoDlZe37bZWAWT6jN3vmQ4pzmV1LYoOiN5gO4p2j8B6tj5NQ2679YlpN90V nM+ezGFpqFoLv7zL6FdmFV9YWBzLkTvX3gp9nfrEja1IyqMlg2tJFP3btp0NTBwK 7h7Te7s+dlaK0bvPjUQvtL2g+2nH4wkwp4X/DdSvlWYpBy6Ife91SDbQ/oXOm8h/ 8Bc252yTvEltTih89zPjVcZsllThG6n/BeNMrECg3OKvob0PZ636Su48PPLNKO7j bT6Zjr0g0vH6queVUN69RmWxq0nYYd5jMVvbNxC7GzQmeWR7FaaYCarjhXy1+7do YqjJi3NG4NTOiXKSVEypIW0gmqa8EfIQxthGOHyriB69GXaliks= =pA98 - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBX/O91+NLKJtyKPYoAQjKWw/+MT6dyl584+nBn7au0QexI/oh/pkylaJu P3s7neBuc5JaFfJXDiU4MNxQva8woFTVZhgo2p7ULNGtE8wQSslwFfk8IbaA9max 15uUPw6kMcF0J+VhVaKgMaafQIunMwHou1t9ril7IsRDP1Wlfi9pKXdpFwnj9GBE N7T1xHEjrGsZum9+QNMH1qRhn9TbO47IAyBT5x6B1M0A995Bc2Y09a3vmyeyxK+6 eFMUYCiyTvJwVaGes1yvSQcnf4jCByGzHB1e2e6rMGZlHL/drmRLdN/PWiePcmLK n2Pv1fehxq3SfhJz1s4iS3HNSZlJR26r6oG87z2yEv1VAdpQ3vgrFCHcNLhoggUd WBFYItoRqGEYGebvftHSGq9hINQTr4LRJrxVnpniYHkzaDk4zyDTd57LtC443qTr zsbQdex8w0wVstayO8zXTnJgXIhd4+9CG1GK5OyWgXZfJaa896Pr1asjCWrmbekC bViyHkwW2UhkCdkUNwJMOf0TdkeimFBE2dNg5OnHYZ1MRQpGBHYuTy0WEPW+1NZj y+xPD/C8aWU5gl6fQYBUrPIDgJS51hxMSKYmWPCmXWo6XUOH4v4YR6toVA0Akriq JXtXhlBFezUTUahMVamudh1pmJxsEd6vKMBSYbWuGobll435B/TX59wUuRRnxjeD xFckYUXaQ0Q= =4I9h -----END PGP SIGNATURE-----