Hi all, we are releasing a CVE patch release 2.3.21.1. https://dovecot.org/releases/2.3/dovecot-2.3.21.1.tar.gz https://dovecot.org/releases/2.3/dovecot-2.3.21.1.tar.gz.sig Binary packages in https://repo.dovecot.org/ Docker images in https://hub.docker.com/r/dovecot/dovecot Kind regards, Aki Tuomi Open-Xchange oy --- - CVE-2024-23184: A large number of address headers in email resulted in excessive CPU usage. - CVE-2024-23185: Abnormally large email headers are now truncated or discarded, with a limit of 10MB on a single header and 50MB for all the headers of all the parts of an email. - oauth2: Dovecot would send client_id and client_secret as POST parameters to introspection server. These need to be optionally in Basic auth instead as required by OIDC specification. - oauth2: JWT key type check was too strict. - oauth2: JWT token audience was not validated against client_id as required by OIDC specification. - oauth2: XOAUTH2 and OAUTHBEARER mechanisms were not giving out protocol specific error message on all errors. This broke OIDC discovery. - oauth2: JWT aud validation was not performed if aud was missing from token, but was configured on Dovecot.
Affected product: Dovecot IMAP Server Internal reference: DOV-6464 Vulnerability type: CWE-770 (Allocation of Resources Without Limits or Throttling) Vulnerable version: 2.2, 2.3 Vulnerable component: lib-mail Report confidence: Confirmed Solution status: Fixed in 2.3.21.1 Researcher credits: Vendor internal discovery Vendor notification: 2024-01-30 CVE reference: CVE-2024-23184 CVSS: 5.0 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N) Vulnerability Details: Having a large number of address headers (From, To, Cc, Bcc, etc.) becomes excessively CPU intensive. With 100k header lines CPU usage is already 12 seconds, and in +a production environment we observed 500k header lines taking 18 minutes to parse. Since this can be triggered by external actors sending emails to a victim, this +is a security issue. The main problem is that each header line's address is added to the end of a linked list. This is done by walking the whole linked list, which becomes more +inefficient the more addresses there are. Workaround: One can implement restrictions on address headers on MTA component preceding Dovecot. Fix: Install non-vulnerable version of Dovecot. Patch can be found at https://github.com/dovecot/core/compare/8e4c42d%5E...1481c04.patch
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a6d4eda4ca6fc9911ab4928c138e85b526f803d1 commit a6d4eda4ca6fc9911ab4928c138e85b526f803d1 Author: Eray Aslan <eras@gentoo.org> AuthorDate: 2024-08-15 07:31:19 +0000 Commit: Eray Aslan <eras@gentoo.org> CommitDate: 2024-08-15 07:31:19 +0000 net-mail/dovecot: add 2.3.21.1 Bug: https://bugs.gentoo.org/937955 Signed-off-by: Eray Aslan <eras@gentoo.org> net-mail/dovecot/Manifest | 2 + net-mail/dovecot/dovecot-2.3.21.1.ebuild | 302 +++++++++++++++++++++++++++++++ 2 files changed, 304 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=435ad104b9a7e9cbf65b0cab5617336bb0e87244 commit 435ad104b9a7e9cbf65b0cab5617336bb0e87244 Author: Eray Aslan <eras@gentoo.org> AuthorDate: 2024-08-17 04:50:51 +0000 Commit: Eray Aslan <eras@gentoo.org> CommitDate: 2024-08-17 04:51:49 +0000 net-mail/dovecot: drop versions Bug: https://bugs.gentoo.org/937955 Signed-off-by: Eray Aslan <eras@gentoo.org> net-mail/dovecot/Manifest | 4 - net-mail/dovecot/dovecot-2.3.20-r1.ebuild | 302 ------------------------------ net-mail/dovecot/dovecot-2.3.20-r2.ebuild | 302 ------------------------------ net-mail/dovecot/dovecot-2.3.20-r3.ebuild | 302 ------------------------------ net-mail/dovecot/dovecot-2.3.21-r1.ebuild | 302 ------------------------------ net-mail/dovecot/dovecot-2.3.21.ebuild | 302 ------------------------------ 6 files changed, 1514 deletions(-)
