See https://www.openwall.com/lists/oss-security/2020/05/18/1 Multiple issues allow crashing daemons or cause memory corruption.
@maintainer(s), please bump to 2.3.10.1.
- CVE-2020-10957: lmtp/submission: A client can crash the server by sending a NOOP command with an invalid string parameter. This occurs particularly for a parameter that doesn't start with a double quote. This applies to all SMTP services, including submission-login, which makes it possible to crash the submission service without authentication. - CVE-2020-10958: lmtp/submission: Sending many invalid or unknown commands can cause the server to access freed memory, which can lead to a server crash. This happens when the server closes the connection with a "421 Too many invalid commands" error. The bad command limit depends on the service (lmtp or submission) and varies between 10 to 20 bad commands. - CVE-2020-10967: lmtp/submission: Issuing the RCPT command with an address that has the empty quoted string as local-part causes the lmtp service to crash.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=abe60da18906a3343a6f5cea4f653d129fbc7ff1 commit abe60da18906a3343a6f5cea4f653d129fbc7ff1 Author: Eray Aslan <eras@gentoo.org> AuthorDate: 2020-05-20 08:05:38 +0000 Commit: Eray Aslan <eras@gentoo.org> CommitDate: 2020-05-20 08:06:36 +0000 net-mail/dovecot: security bump to 2.3.10.1 and fix automagic dependency on libunwind Bug: https://bugs.gentoo.org/723786 Closes: https://bugs.gentoo.org/715488 Package-Manager: Portage-2.3.99, Repoman-2.3.22 Signed-off-by: Eray Aslan <eras@gentoo.org> net-mail/dovecot/Manifest | 1 + net-mail/dovecot/dovecot-2.3.10.1.ebuild | 288 +++++++++++++++++++++++++++++++ 2 files changed, 289 insertions(+)
Arches, please test and mark stable =net-mail/dovecot-2.3.10.1 Target Keywords = ~alpha amd64 arm hppa ~ia64 ~mips ppc ppc64 s390 ~sparc x86
(In reply to Eray Aslan from comment #4) > Arches, please test and mark stable Thanks!
amd64 stable
ppc stable
ppc64 stable
x86 stable
~hppa is ok
Sanity check failed: > net-mail/dovecot-2.3.10.1 > depend hppa stable profile default/linux/hppa/17.0 (3 total) > net-mail/vpopmail > rdepend hppa stable profile default/linux/hppa/17.0 (3 total) > net-mail/vpopmail
All sanity-check issues have been resolved
GLSA Vote: No
Unable to check for sanity: > dependent bug #736617 is missing keywords
Unable to check for sanity: > no match for package: =net-mail/dovecot-2.3.10.1
Cleanup done so all done here, but still depending on an open test failure..