Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 763525 (CVE-2020-24386, CVE-2020-25275) - <net-mail/dovecot-2.3.13: Multiple vulnerabilities (CVE-2020-24386, CVE-2020-25275)
Summary: <net-mail/dovecot-2.3.13: Multiple vulnerabilities (CVE-2020-24386, CVE-2020-...
Status: RESOLVED FIXED
Alias: CVE-2020-24386, CVE-2020-25275
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [cve glsa+]
Keywords: CC-ARCHES, STABLEREQ
: 768870 (view as bug list)
Depends on: 764713 768501
Blocks:
  Show dependency tree
 
Reported: 2021-01-04 12:42 UTC by Adrian
Modified: 2021-02-10 16:03 UTC (History)
4 users (show)

See Also:
Package list:
net-mail/dovecot-2.3.13-r100
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Adrian 2021-01-04 12:42:32 UTC
There are two CVEs, one of which can result in leaking of other users' mails (not in the standard configuration though):

https://dovecot.org/pipermail/dovecot-news/2021-January/000450.html
https://dovecot.org/pipermail/dovecot-news/2021-January/000451.html

An ebuild for v2.3.13 would be great.
Comment 1 Larry the Git Cow gentoo-dev 2021-01-05 09:35:58 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1ddd164e2402c15e598eb8ae615dfaa7a52b08a9

commit 1ddd164e2402c15e598eb8ae615dfaa7a52b08a9
Author:     Eray Aslan <eras@gentoo.org>
AuthorDate: 2021-01-05 09:35:39 +0000
Commit:     Eray Aslan <eras@gentoo.org>
CommitDate: 2021-01-05 09:35:39 +0000

    net-mail/dovecot: security bump to 2.3.13
    
    Bug: https://bugs.gentoo.org/763525
    Package-Manager: Portage-3.0.12, Repoman-3.0.2
    Signed-off-by: Eray Aslan <eras@gentoo.org>

 net-mail/dovecot/Manifest                          |   2 +
 net-mail/dovecot/dovecot-2.3.13.ebuild             | 293 +++++++++++++++++++++
 .../files/dovecot-autoconf-lua-version.patch       |  17 ++
 .../files/dovecot-socket-name-too-long.patch       |  11 +
 4 files changed, 323 insertions(+)
Comment 2 Eray Aslan gentoo-dev 2021-01-05 09:37:28 UTC
arches, please test and mark stable
=net-mail/dovecot-2.3.13

thank you
Comment 3 NATTkA bot gentoo-dev 2021-01-05 09:40:55 UTC Comment hidden (obsolete)
Comment 4 Larry the Git Cow gentoo-dev 2021-01-05 11:42:13 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a92f4e5c02b03f9b7bacc1c5ba200b5a8f60597a

commit a92f4e5c02b03f9b7bacc1c5ba200b5a8f60597a
Author:     Eray Aslan <eras@gentoo.org>
AuthorDate: 2021-01-05 11:41:43 +0000
Commit:     Eray Aslan <eras@gentoo.org>
CommitDate: 2021-01-05 11:41:43 +0000

    net-mail/dovecot: slotted lua is not stable yet
    
    Bug: https://bugs.gentoo.org/763525
    Package-Manager: Portage-3.0.12, Repoman-3.0.2
    Signed-off-by: Eray Aslan <eras@gentoo.org>

 net-mail/dovecot/dovecot-2.3.13-r1.ebuild | 287 ++++++++++++++++++++++++++++++
 1 file changed, 287 insertions(+)
Comment 5 Eray Aslan gentoo-dev 2021-01-05 11:44:13 UTC
arches, let's go wih
=net-mail/dovecot-2.3.13-r1

as slotted lua is not stable yet. sorry for the email spam
Comment 6 NATTkA bot gentoo-dev 2021-01-05 11:44:57 UTC Comment hidden (obsolete)
Comment 7 Sam James archtester gentoo-dev Security 2021-01-06 03:09:33 UTC
amd64 done
Comment 8 Thomas Deutschmann gentoo-dev Security 2021-01-06 15:31:05 UTC
New GLSA request filed.
Comment 9 Sam James archtester gentoo-dev Security 2021-01-07 05:09:32 UTC
ppc64 done
Comment 10 Sam James archtester gentoo-dev Security 2021-01-07 10:20:02 UTC
arm done
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2021-01-10 09:24:32 UTC
This issue was resolved and addressed in
 GLSA 202101-01 at https://security.gentoo.org/glsa/202101-01
by GLSA coordinator Sam James (sam_c).
Comment 12 Sam James archtester gentoo-dev Security 2021-01-10 09:26:12 UTC Comment hidden (obsolete)
Comment 13 Sam James archtester gentoo-dev Security 2021-01-10 09:26:31 UTC
Reopening for remaining arches (not cleanup, oops!)
Comment 14 Sam James archtester gentoo-dev Security 2021-02-05 21:10:09 UTC
x86 done
Comment 15 Sam James archtester gentoo-dev Security 2021-02-05 21:11:58 UTC
*** Bug 768870 has been marked as a duplicate of this bug. ***
Comment 16 Sam James archtester gentoo-dev Security 2021-02-06 19:13:23 UTC
ppc done
Comment 17 Sam James archtester gentoo-dev Security 2021-02-06 19:39:48 UTC
x86 done
Comment 18 Sam James archtester gentoo-dev Security 2021-02-06 19:40:09 UTC
s390 done

all arches done
Comment 19 Sam James archtester gentoo-dev Security 2021-02-06 19:41:13 UTC
Please cleanup, thanks!
Comment 20 Larry the Git Cow gentoo-dev 2021-02-10 15:43:00 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=416a8ad88987bf8480d2c5afc9db8af864b21e98

commit 416a8ad88987bf8480d2c5afc9db8af864b21e98
Author:     Eray Aslan <eras@gentoo.org>
AuthorDate: 2021-02-10 15:42:40 +0000
Commit:     Eray Aslan <eras@gentoo.org>
CommitDate: 2021-02-10 15:42:40 +0000

    net-mail/dovecot: cleanup
    
    Bug: https://bugs.gentoo.org/763525
    Package-Manager: Portage-3.0.14, Repoman-3.0.2
    Signed-off-by: Eray Aslan <eras@gentoo.org>

 net-mail/dovecot/Manifest                          |   2 -
 net-mail/dovecot/dovecot-2.3.11.3-r1.ebuild        | 296 --------------------
 net-mail/dovecot/dovecot-2.3.11.3-r2.ebuild        | 297 ---------------------
 net-mail/dovecot/dovecot-2.3.11.3.ebuild           | 290 --------------------
 net-mail/dovecot/dovecot-2.3.13.ebuild             | 293 --------------------
 .../dovecot/files/dovecot-2.3.11.3-apop-fix.patch  |  60 -----
 .../dovecot/files/dovecot-fix-search-crash.patch   |  91 -------
 net-mail/dovecot/metadata.xml                      |   1 -
 8 files changed, 1330 deletions(-)
Comment 21 Sam James archtester gentoo-dev Security 2021-02-10 16:03:23 UTC
Thanks a bunch Eras. All done!