Skip to content

GitLab

  • Menu
Projects Groups Snippets
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
  • aports aports
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 719
    • Issues 719
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 325
    • Merge requests 325
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • alpine
  • aportsaports
  • Issues
  • #12274
Closed
Open
Created Jan 05, 2021 by Alicha CH@alichaReporter2 of 4 tasks completed2/4 tasks

dovecot: Multiple vulnerabilities (CVE-2020-25275, CVE-2020-24386)

CVE-2020-25275: MIME parsing crash

Mail delivery / parsing crashed when the 10 000th MIME part was message/rfc822 (or if parent was multipart/digest). This happened due to earlier MIME parsing changes for CVE-2020-12100.

Vulnerable version: 2.3.11-2.3.11.3

Fixed version: 2.3.13

References:

  • https://dovecot.org/pipermail/dovecot-news/2021-January/000451.html
  • https://www.openwall.com/lists/oss-security/2021/01/04/3

CVE-2020-24386: IMAP hibernation allows accessing other peoples mail

When imap hibernation is active, an attacker can cause Dovecot to discover file system directory structure and access other users' emails using specially crafted command. The attacker must have valid credentials to access the mail server.

Vulnerable version: 2.2.26-2.3.11.3

Fixed version: 2.3.13

References:

  • https://www.openwall.com/lists/oss-security/2021/01/04/4
  • https://dovecot.org/pipermail/dovecot-news/2021-January/000448.html

Affected branches:

  • master (57939455)
  • 3.12-stable (6bd01a05)
  • 3.11-stable
  • 3.10-stable
Edited Jan 15, 2021 by Natanael Copa
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information
Assignee
Assign to
Time tracking