| Summary: | <net-mail/dovecot-2.3.10.1: Multiple vulnerabilities (CVE-2020-{10957,10958,10967}) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Hanno Böck <hanno> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | minor | CC: | anders.gentoo, eras, hydrapolic |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://www.openwall.com/lists/oss-security/2020/05/18/1 | ||
| Whiteboard: | B3 [noglsa cve] | ||
| Package list: | Runtime testing required: | --- | |
| Bug Depends on: | 727244, 736617 | ||
| Bug Blocks: | |||
|
Description
Hanno Böck
2020-05-18 15:54:45 UTC
@maintainer(s), please bump to 2.3.10.1. - CVE-2020-10957: lmtp/submission: A client can crash the server by sending a NOOP command with an invalid string parameter. This occurs particularly for a parameter that doesn't start with a double quote. This applies to all SMTP services, including submission-login, which makes it possible to crash the submission service without authentication. - CVE-2020-10958: lmtp/submission: Sending many invalid or unknown commands can cause the server to access freed memory, which can lead to a server crash. This happens when the server closes the connection with a "421 Too many invalid commands" error. The bad command limit depends on the service (lmtp or submission) and varies between 10 to 20 bad commands. - CVE-2020-10967: lmtp/submission: Issuing the RCPT command with an address that has the empty quoted string as local-part causes the lmtp service to crash. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=abe60da18906a3343a6f5cea4f653d129fbc7ff1 commit abe60da18906a3343a6f5cea4f653d129fbc7ff1 Author: Eray Aslan <eras@gentoo.org> AuthorDate: 2020-05-20 08:05:38 +0000 Commit: Eray Aslan <eras@gentoo.org> CommitDate: 2020-05-20 08:06:36 +0000 net-mail/dovecot: security bump to 2.3.10.1 and fix automagic dependency on libunwind Bug: https://bugs.gentoo.org/723786 Closes: https://bugs.gentoo.org/715488 Package-Manager: Portage-2.3.99, Repoman-2.3.22 Signed-off-by: Eray Aslan <eras@gentoo.org> net-mail/dovecot/Manifest | 1 + net-mail/dovecot/dovecot-2.3.10.1.ebuild | 288 +++++++++++++++++++++++++++++++ 2 files changed, 289 insertions(+) Arches, please test and mark stable =net-mail/dovecot-2.3.10.1 Target Keywords = ~alpha amd64 arm hppa ~ia64 ~mips ppc ppc64 s390 ~sparc x86 (In reply to Eray Aslan from comment #4) > Arches, please test and mark stable Thanks! amd64 stable ppc stable ppc64 stable x86 stable ~hppa is ok Sanity check failed:
> net-mail/dovecot-2.3.10.1
> depend hppa stable profile default/linux/hppa/17.0 (3 total)
> net-mail/vpopmail
> rdepend hppa stable profile default/linux/hppa/17.0 (3 total)
> net-mail/vpopmail
All sanity-check issues have been resolved GLSA Vote: No Unable to check for sanity:
> dependent bug #736617 is missing keywords
All sanity-check issues have been resolved Unable to check for sanity:
> dependent bug #736617 is missing keywords
Unable to check for sanity:
> no match for package: =net-mail/dovecot-2.3.10.1
Cleanup done so all done here, but still depending on an open test failure.. |
