Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 763525 (CVE-2020-24386, CVE-2020-25275) - <net-mail/dovecot-2.3.13: Multiple vulnerabilities (CVE-2020-24386, CVE-2020-25275)
Summary: <net-mail/dovecot-2.3.13: Multiple vulnerabilities (CVE-2020-24386, CVE-2020-...
Status: CONFIRMED
Alias: CVE-2020-24386, CVE-2020-25275
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [stable cve glsa+]
Keywords: CC-ARCHES, STABLEREQ
Depends on:
Blocks:
 
Reported: 2021-01-04 12:42 UTC by Adrian
Modified: 2021-01-16 00:52 UTC (History)
6 users (show)

See Also:
Package list:
net-mail/dovecot-2.3.13-r1
Runtime testing required: ---
nattka: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Adrian 2021-01-04 12:42:32 UTC
There are two CVEs, one of which can result in leaking of other users' mails (not in the standard configuration though):

https://dovecot.org/pipermail/dovecot-news/2021-January/000450.html
https://dovecot.org/pipermail/dovecot-news/2021-January/000451.html

An ebuild for v2.3.13 would be great.
Comment 1 Larry the Git Cow gentoo-dev 2021-01-05 09:35:58 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1ddd164e2402c15e598eb8ae615dfaa7a52b08a9

commit 1ddd164e2402c15e598eb8ae615dfaa7a52b08a9
Author:     Eray Aslan <eras@gentoo.org>
AuthorDate: 2021-01-05 09:35:39 +0000
Commit:     Eray Aslan <eras@gentoo.org>
CommitDate: 2021-01-05 09:35:39 +0000

    net-mail/dovecot: security bump to 2.3.13
    
    Bug: https://bugs.gentoo.org/763525
    Package-Manager: Portage-3.0.12, Repoman-3.0.2
    Signed-off-by: Eray Aslan <eras@gentoo.org>

 net-mail/dovecot/Manifest                          |   2 +
 net-mail/dovecot/dovecot-2.3.13.ebuild             | 293 +++++++++++++++++++++
 .../files/dovecot-autoconf-lua-version.patch       |  17 ++
 .../files/dovecot-socket-name-too-long.patch       |  11 +
 4 files changed, 323 insertions(+)
Comment 2 Eray Aslan gentoo-dev 2021-01-05 09:37:28 UTC
arches, please test and mark stable
=net-mail/dovecot-2.3.13

thank you
Comment 3 NATTkA bot gentoo-dev 2021-01-05 09:40:55 UTC Comment hidden (obsolete)
Comment 4 Larry the Git Cow gentoo-dev 2021-01-05 11:42:13 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a92f4e5c02b03f9b7bacc1c5ba200b5a8f60597a

commit a92f4e5c02b03f9b7bacc1c5ba200b5a8f60597a
Author:     Eray Aslan <eras@gentoo.org>
AuthorDate: 2021-01-05 11:41:43 +0000
Commit:     Eray Aslan <eras@gentoo.org>
CommitDate: 2021-01-05 11:41:43 +0000

    net-mail/dovecot: slotted lua is not stable yet
    
    Bug: https://bugs.gentoo.org/763525
    Package-Manager: Portage-3.0.12, Repoman-3.0.2
    Signed-off-by: Eray Aslan <eras@gentoo.org>

 net-mail/dovecot/dovecot-2.3.13-r1.ebuild | 287 ++++++++++++++++++++++++++++++
 1 file changed, 287 insertions(+)
Comment 5 Eray Aslan gentoo-dev 2021-01-05 11:44:13 UTC
arches, let's go wih
=net-mail/dovecot-2.3.13-r1

as slotted lua is not stable yet. sorry for the email spam
Comment 6 NATTkA bot gentoo-dev 2021-01-05 11:44:57 UTC
All sanity-check issues have been resolved
Comment 7 Sam James archtester gentoo-dev Security 2021-01-06 03:09:33 UTC
amd64 done
Comment 8 Thomas Deutschmann gentoo-dev Security 2021-01-06 15:31:05 UTC
New GLSA request filed.
Comment 9 Sam James archtester gentoo-dev Security 2021-01-07 05:09:32 UTC
ppc64 done
Comment 10 Sam James archtester gentoo-dev Security 2021-01-07 10:20:02 UTC
arm done
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2021-01-10 09:24:32 UTC
This issue was resolved and addressed in
 GLSA 202101-01 at https://security.gentoo.org/glsa/202101-01
by GLSA coordinator Sam James (sam_c).
Comment 12 Sam James archtester gentoo-dev Security 2021-01-10 09:26:12 UTC Comment hidden (obsolete)
Comment 13 Sam James archtester gentoo-dev Security 2021-01-10 09:26:31 UTC
Reopening for remaining arches (not cleanup, oops!)