Sicherheit: Mehrere Probleme in dovecot
Aktuelle Meldungen Distributionen
Name: Mehrere Probleme in dovecot
ID: FEDORA-2020-1dee17d880
Distribution: Fedora
Plattformen: Fedora 32
Datum: So, 24. Mai 2020, 09:20
Referenzen: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10967
Applikationen: dovecot


Fedora Update Notification
2020-05-24 03:27:16.087535

Name : dovecot
Product : Fedora 32
Version :
Release : 1.fc32
URL : http://www.dovecot.org/
Summary : Secure imap and pop3 server
Description :
Dovecot is an IMAP server for Linux/UNIX-like systems, written with security
primarily in mind. It also contains a small POP3 server. It supports mail
in either of maildir or mbox formats.

The SQL drivers and authentication plug-ins are in their subpackages.

Update Information:

- CVE-2020-10957: lmtp/submission: A client can crash the server by sending a
NOOP command with an invalid string parameter. This occurs particularly for a
parameter that doesn't start with a double quote. This applies to all
services, including submission-login, which makes it possible to crash the
submission service without authentication. - CVE-2020-10958: lmtp/submission:
Sending many invalid or unknown commands can cause the server to access freed
memory, which can lead to a server crash. This happens when the server closes
the connection with a "421 Too many invalid commands" error. The bad
limit depends on the service (lmtp or submission) and varies between 10 to
20 bad commands. - CVE-2020-10967: lmtp/submission: Issuing the RCPT command
with an address that has the empty quoted string as local-part causes the
lmtp service to crash. ---- dovecot updated to 2.3.10

* Mon May 18 2020 Michal Hlavinka <mhlavink@redhat.com> - 1:
- dovecot updated to
- fixes CVE-2020-10967, CVE-2020-10958, CVE-2020-10957
* Tue Apr 21 2020 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.10-1
- dovecot updated to 2.3.10, pigeonhole updated to 0.5.10

[ 1 ] Bug #1834317 - CVE-2020-10957 dovecot: malformed NOOP commands leads to
[ 2 ] Bug #1834323 - CVE-2020-10958 dovecot: command followed by sufficient
number of newlines leads to use-after-free
[ 3 ] Bug #1834326 - CVE-2020-10967 dovecot: sending mail with empty quoted
localpart leads to DoS

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2020-1dee17d880' at the command
line. For more information, refer to the dnf documentation available at

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
package-announce mailing list -- package-announce@lists.fedoraproject.org
To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org
Pro-Linux @Facebook
Neue Nachrichten