Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.0037 dovecot security update 6 January 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: dovecot Publisher: Debian Operating System: Debian GNU/Linux Impact/Access: Denial of Service -- Remote/Unauthenticated Access Confidential Data -- Existing Account Reduced Security -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2020-25275 CVE-2020-24386 Reference: ESB-2021.0027 ESB-2021.0026 Original Bulletin: https://www.debian.org/lts/security/2020/dla-2517 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 - - ------------------------------------------------------------------------- Debian LTS Advisory DLA-2517-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Chris Lamb January 05, 2021 https://wiki.debian.org/LTS - - ------------------------------------------------------------------------- Package : dovecot Version : 1:2.2.27-3+deb9u7 CVE IDs : CVE-2020-24386 & CVE-2020-25275 It was discovered that there were two issues in the Dovecot IMAP server: * CVE-2020-24386: Prevent an issue where an attacker could cause Dovecot to discover file system directory structure and even access other users' emails using a pecially crafted command. * CVE-2020-25275: Prevent an issue where a malicious sender can crash Dovecot repeatedly by sending messages with more than 10,000 MIME parts. For Debian 9 "Stretch", these problems has been fixed in version 1:2.2.27-3+deb9u7 and we recommend that you upgrade your dovecot packages. For the detailed security status of dovecot please refer to its security tracker page at: https://security-tracker.debian.org/tracker/dovecot Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAl/0lswACgkQHpU+J9Qx HliPPBAAu1YmulL00EafxT2VKAb3+kZbkI5IKAh02Q64jvxU/5P1lPdwFAxpx4Gt pq3+c72e8uSjYDe+fsRGl7zQtkPr11rNKHmbS3QMtscWmVb0IZj8+oggffAEdWjB pzdoAvdrVgNsA3dF05p1UVHn/eCrslYWqTH91pbTaJA0WFDoP72EQLQm74Yjgao+ GUngy77IauVVC1QlzhI+efRgecE+Av5P8CM6ynv9EY6PUm98m7gAkT6Kocct2zsl eLoUBiQVw97twG8PelqjC8SQ06TnE+VEO1otd+dXCr+Ju0BFWG0ha2g1GL/peFSD y9Xt41smLbXWYLGQbd8gpD18/MugttkLtIbovlrnITtwYoZ3G+gZwmRD8FNI2Np0 2L0dUEEoi+j4sHJSs8rYpjfuIX3ir+UQj96N1mdUWmZ3swv60T5L4j4vRyBXLk3s VP9vIBMdpzpOY85mDlTMBYrIQaCeXjRR05UlhcNHXCKt0oGlREW8tJ0KNX8KYxpn U7BsGWOYJi8Ai5Cso7mcEOBGutzgFylPsnRFPLUmYmWxTdHhHezmZfbDqJHMgWyK GcMqfFhcykV+MksxkuvktTgDigqbwP3W2Yr+x0rm1ED2NfR6rdzFKcI4UT7A7Iq9 mPGcxbd0ubuqIOZEMOCp8mPc9KvTMh34ld1IqXna28bohGaVfog= =SJgY - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBX/UH3ONLKJtyKPYoAQhiRBAAowD6jqJu4Tf8fjHT9eYiX38tb+XH489W qYx8o1MCckOj9pPCkpLGbHSUnilA5fGyE4WO98kZEwDco94SxEnoEB4NAq2Ws70A W9lPBUFO8+JGd9dBTREBbl6GJIvmhLoJ0zsTftabTpFkjKXagULp9eY9tGuE3vOu IObj6HrG9evCDFlXYV7TrCAaKaDV1EuNa9vpXlLj1j4lAPHkWNARCFMUspu3NFzk +ELKwpVF2j8OtivsEngLrdJy4EjbLEl1AwIaC+pqIKfyOtgmnw8vKPY5yyDNq9Q6 sk350ESMN0WsP+ZauQnlVa6Pwog0K9tLP3GGgMaP3b8jkqwT9lRYgnvpF74ZF65y DEutJpGNUtDbuk7Gfu4AElBBu64srTTHyTw832J3HGqd7FOMdW/MK/HhSS7u8m9K B1qEg4/wwtj67swu8e2hX6lqYidVcpLOIVOxOf6cvrdCHsmbVlOjUkV2JIY6w2V8 bMwdzjnL90c+Dzq+STXMzjrtKdDD4MsNnmmyfO3yem5FrHr7HOAUGKNBU3h4vf5J csfpVOcDsVlGG8xYXubC1SDrcmMJeyeGIunuMQa7o2RY6amS90Lh+Axb0nVOB7/P gWTCvQCYVYKjQoOZTZT890VdlAS9AdI94E4vatJjsOhlrhEDYBls5iXkPgx6Tszr U+BoAw2CvSo= =Zimg -----END PGP SIGNATURE-----