stable

dovecot-2.3.10.1-1.fc32

FEDORA-2020-1dee17d880 created by mhlavink 4 years ago for Fedora 32
  • CVE-2020-10957: lmtp/submission: A client can crash the server by sending a NOOP command with an invalid string parameter. This occurs particularly for a parameter that doesn't start with a double quote. This applies to all SMTP services, including submission-login, which makes it possible to crash the submission service without authentication.
  • CVE-2020-10958: lmtp/submission: Sending many invalid or unknown commands can cause the server to access freed memory, which can lead to a server crash. This happens when the server closes the connection with a "421 Too many invalid commands" error. The bad command limit depends on the service (lmtp or submission) and varies between 10 to 20 bad commands.
  • CVE-2020-10967: lmtp/submission: Issuing the RCPT command with an address that has the empty quoted string as local-part causes the lmtp service to crash.

dovecot updated to 2.3.10

How to install

Updates may require up to 24 hours to propagate to mirrors. If the following command doesn't work, please retry later:

sudo dnf upgrade --refresh --advisory=FEDORA-2020-1dee17d880

This update has been submitted for testing by mhlavink.

4 years ago

This update's test gating status has been changed to 'waiting'.

4 years ago

This update has obsoleted dovecot-2.3.10-1.fc32, and has inherited its bugs and notes.

4 years ago

This update's test gating status has been changed to 'ignored'.

4 years ago

This update has been pushed to testing.

4 years ago
User Icon bojan provided feedback 4 years ago
karma
User Icon ibims provided feedback 4 years ago
karma

This update can be pushed to stable now if the maintainer wishes

4 years ago
User Icon cairo provided feedback 4 years ago
karma

This update has been submitted for stable by bodhi.

4 years ago

This update has been pushed to stable.

4 years ago

Please login to add feedback.

Metadata
Type
security
Severity
medium
Karma
3
Signed
Content Type
RPM
Test Gating
Autopush Settings
Unstable by Karma
-3
Stable by Karma
3
Stable by Time
7 days
Dates
submitted
4 years ago
in testing
4 years ago
in stable
4 years ago
BZ#1834317 CVE-2020-10957 dovecot: malformed NOOP commands leads to DoS
0
0
BZ#1834323 CVE-2020-10958 dovecot: command followed by sufficient number of newlines leads to use-after-free
0
0
BZ#1834326 CVE-2020-10967 dovecot: sending mail with empty quoted localpart leads to DoS
0
0
BZ#1836933 CVE-2020-10967 dovecot: sending mail with empty quoted localpart leads to DoS [fedora-all]
0
0
BZ#1836934 CVE-2020-10957 dovecot: malformed NOOP commands leads to DoS [fedora-all]
0
0
BZ#1836935 CVE-2020-10958 dovecot: command followed by sufficient number of newlines leads to use-after-free [fedora-all]
0
0

Automated Test Results