Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 723786 (CVE-2020-10957, CVE-2020-10958, CVE-2020-10967) - <net-mail/dovecot-2.3.10.1: Multiple vulnerabilities (CVE-2020-{10957,10958,10967})
Summary: <net-mail/dovecot-2.3.10.1: Multiple vulnerabilities (CVE-2020-{10957,10958,1...
Status: IN_PROGRESS
Alias: CVE-2020-10957, CVE-2020-10958, CVE-2020-10967
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://www.openwall.com/lists/oss-se...
Whiteboard: B3 [stable blocked noglsa cve]
Keywords:
Depends on: 727244 CVE-2020-12100, CVE-2020-12673, CVE-2020-12674
Blocks:
  Show dependency tree
 
Reported: 2020-05-18 15:54 UTC by Hanno Böck
Modified: 2020-09-06 00:57 UTC (History)
3 users (show)

See Also:
Package list:
=net-mail/dovecot-2.3.10.1 amd64 arm ppc ppc64 s390 x86
Runtime testing required: ---
nattka: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Hanno Böck gentoo-dev 2020-05-18 15:54:45 UTC
See
https://www.openwall.com/lists/oss-security/2020/05/18/1

Multiple issues allow crashing daemons or cause memory corruption.
Comment 1 Sam James archtester gentoo-dev Security 2020-05-18 18:03:25 UTC
@maintainer(s), please bump to 2.3.10.1.
Comment 2 Sam James archtester gentoo-dev Security 2020-05-18 18:03:43 UTC
- CVE-2020-10957: lmtp/submission: A client can crash the server by
 sending a NOOP command with an invalid string parameter. This occurs
 particularly for a parameter that doesn't start with a double quote.
 This applies to all SMTP services, including submission-login, which
 makes it possible to crash the submission service without
 authentication.
- CVE-2020-10958: lmtp/submission: Sending many invalid or unknown
 commands can cause the server to access freed memory, which can lead
 to a server crash. This happens when the server closes the connection
 with a "421 Too many invalid commands" error. The bad command limit
 depends on the service (lmtp or submission) and varies between 10 to
 20 bad commands.
- CVE-2020-10967: lmtp/submission: Issuing the RCPT command with an
 address that has the empty quoted string as local-part causes the
 lmtp service to crash.
Comment 3 Larry the Git Cow gentoo-dev 2020-05-20 08:07:23 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=abe60da18906a3343a6f5cea4f653d129fbc7ff1

commit abe60da18906a3343a6f5cea4f653d129fbc7ff1
Author:     Eray Aslan <eras@gentoo.org>
AuthorDate: 2020-05-20 08:05:38 +0000
Commit:     Eray Aslan <eras@gentoo.org>
CommitDate: 2020-05-20 08:06:36 +0000

    net-mail/dovecot: security bump to 2.3.10.1
    
    and fix automagic dependency on libunwind
    Bug: https://bugs.gentoo.org/723786
    Closes: https://bugs.gentoo.org/715488
    Package-Manager: Portage-2.3.99, Repoman-2.3.22
    Signed-off-by: Eray Aslan <eras@gentoo.org>

 net-mail/dovecot/Manifest                |   1 +
 net-mail/dovecot/dovecot-2.3.10.1.ebuild | 288 +++++++++++++++++++++++++++++++
 2 files changed, 289 insertions(+)
Comment 4 Eray Aslan gentoo-dev 2020-05-20 08:12:47 UTC
Arches, please test and mark stable
=net-mail/dovecot-2.3.10.1

Target Keywords = ~alpha amd64 arm hppa ~ia64 ~mips ppc ppc64 s390 ~sparc x86
Comment 5 Sam James archtester gentoo-dev Security 2020-05-20 12:53:25 UTC
(In reply to Eray Aslan from comment #4)
> Arches, please test and mark stable

Thanks!
Comment 6 Agostino Sarubbo gentoo-dev 2020-05-21 07:56:32 UTC
amd64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2020-05-21 07:59:24 UTC
ppc stable
Comment 8 Agostino Sarubbo gentoo-dev 2020-05-21 08:01:15 UTC
ppc64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2020-05-21 08:09:37 UTC
x86 stable
Comment 10 Rolf Eike Beer 2020-05-26 17:42:34 UTC
~hppa is ok
Comment 11 NATTkA bot gentoo-dev 2020-08-31 23:09:06 UTC
Sanity check failed:

> net-mail/dovecot-2.3.10.1
>   depend hppa stable profile default/linux/hppa/17.0 (3 total)
>     net-mail/vpopmail
>   rdepend hppa stable profile default/linux/hppa/17.0 (3 total)
>     net-mail/vpopmail
Comment 12 NATTkA bot gentoo-dev 2020-09-01 06:30:58 UTC
All sanity-check issues have been resolved
Comment 13 Thomas Deutschmann gentoo-dev Security 2020-09-06 00:57:34 UTC
GLSA Vote: No