CVE-2020-7046: A denial of service has been found in Dovecot prior to 2.3.9.3, where lib-smtp doesn't handle truncated command parameters properly, resulting in infinite loop taking 100% CPU for the process. This happens for LMTP (where it doesn't matter so much) and also for submission-login where unauthenticated users can trigger it. CVE-2020-7957: A denial of service have been found in Dovecot prior to 2.3.9.3, where a specially crafted e-mail can cause a mailbox to have permanently inaccessible mail, or the e-mail itself can be stuck in delivery. This happens because the snippet generation crashes if a message is large enough that message-parser returns multiple body blocks, the first block(s) don't contain the full snippet (e.g. full of whitespace) and the input ends with '>'. Solution: Upgrade to 2.3.9.3 References: https://seclists.org/oss-sec/2020/q1/72 https://seclists.org/oss-sec/2020/q1/72 https://vulmon.com/vulnerabilitydetails?qid=CVE-2020-7046 https://vulmon.com/vulnerabilitydetails?qid=CVE-2020-7957 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7957
FYI, just copying the existing 2.3.9.2 -> 2.3.9.3 and rebuilding seems to work fine. I don't know if it is considered helpful, or bad form, to submit a PR for a maintained package. I will do so, but tell me if I should stop ;)
CVE-2020-7046: https://dovecot.org/pipermail/dovecot-news/2020-February/000431.html CVE-2020-7957: https://dovecot.org/pipermail/dovecot-news/2020-February/000430.html
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5bd3540c37952e7ea38c17232411834884708b9c commit 5bd3540c37952e7ea38c17232411834884708b9c Author: Hank Leininger <hlein@korelogic.com> AuthorDate: 2020-02-12 17:58:51 +0000 Commit: Eray Aslan <eras@gentoo.org> CommitDate: 2020-02-13 10:22:21 +0000 net-mail/dovecot: bump to fix CVE-2020-7046, CVE-2020-7957 Simple bump from 2.3.9.2. Signed-off-by: Hank Leininger <hlein@korelogic.com> Bug: https://bugs.gentoo.org/709386 Package-Manager: Portage-2.3.84, Repoman-2.3.20 Signed-off-by: Eray Aslan <eras@gentoo.org> net-mail/dovecot/Manifest | 1 + net-mail/dovecot/dovecot-2.3.9.3.ebuild | 286 ++++++++++++++++++++++++++++++++ 2 files changed, 287 insertions(+)
stablereq 2.3.9.3 (security team please correct me if this was wrong step to do)
*** Bug 709482 has been marked as a duplicate of this bug. ***
No stable version affected. @ Maintainer(s): Please cleanup and drop =net-mail/dovecot-2.3.8!
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=83b213b07bce1b76cc090b0be6d263df4a7413d1 commit 83b213b07bce1b76cc090b0be6d263df4a7413d1 Author: Eray Aslan <eras@gentoo.org> AuthorDate: 2020-02-14 05:43:18 +0000 Commit: Eray Aslan <eras@gentoo.org> CommitDate: 2020-02-14 05:43:18 +0000 net-mail/dovecot: remove vulnerable version Bug: https://bugs.gentoo.org/709386 Package-Manager: Portage-2.3.88, Repoman-2.3.20 Signed-off-by: Eray Aslan <eras@gentoo.org> net-mail/dovecot/Manifest | 1 - net-mail/dovecot/dovecot-2.3.9.2.ebuild | 286 -------------------------------- 2 files changed, 287 deletions(-)
GLSA Vote: No! Repository is clean, all done!