-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.2821
dovecot security update
17 August 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: dovecot
Publisher: Debian
Operating System: Debian GNU/Linux 9
Impact/Access: Denial of Service -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2020-12674 CVE-2020-12673 CVE-2020-12100
Reference: ESB-2020.2808
ESB-2020.2799
ESB-2020.2790
Original Bulletin:
https://lists.debian.org/debian-lts-announce/2020/08/msg00024.html
- --------------------------BEGIN INCLUDED TEXT--------------------
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-2328-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/
August 15, 2020 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : dovecot
Version : 1:2.2.27-3+deb9u6
CVE ID : CVE-2020-12100 CVE-2020-12673 CVE-2020-12674
Debian Bug : 968302
Several vulnerabilities have been discovered in the Dovecot email
server.
CVE-2020-12100
Receiving mail with deeply nested MIME parts leads to resource
exhaustion as Dovecot attempts to parse it.
CVE-2020-12673
Dovecot's NTLM implementation does not correctly check message
buffer size, which leads to a crash when reading past allocation.
CVE-2020-12674
Dovecot's RPA mechanism implementation accepts zero-length message,
which leads to assert-crash later on.
For Debian 9 stretch, these problems have been fixed in version
1:2.2.27-3+deb9u6.
We recommend that you upgrade your dovecot packages.
For the detailed security status of dovecot please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/dovecot
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXzoUzONLKJtyKPYoAQjkaw/9HomBfULUbwfPpsm1OAiiwWmW2L+VGrc4
lLuFo7BBgh3FzZ9G9BI4wZw+itOYKL9j0CmPqCWTxT+zkXX7UwASEtlYi7qbZTFL
yLJOCGzIjD9exxL9Al3tRsNQhsYdgjbEpH5AZEQi+OYyLvVFJw06JsOGVpsZsikU
bwAUOTUkZtJRnnatfw3DljJV6E83YwI2dox2FtVIFi2grvQ2PCGNxvbBYBVePuLw
bvAVmWMoS7yhVWeiDC9odf593hukKluYWNl33qO1MD61ZPbnAfmMYPUS296/6GMh
eiMATBz/NtNiJEgdT2Ji5kIj2b1fai3rzusZWv6s4836qnlEZvTzJUArSyQyizHA
4Htdl+H467lS5R4cegaGQ68lVRVIAVUO4+eCyvhC7o79cZPoOClAtS3BeWDuz2z3
JBuJZyBMdpw8FkPiV9FteqJSrdWpW1Y2b7Md03cXVBdajZu4mcR6wqe5XeDfBamV
cMwj/u5i5gWkgjrozgTI+1z56H3nE6ZeBalZJJgNcDY/vJVZt8BJA0BSARpcHMlM
l//YBiaC5A1XQyPDNNEnAkFhYpFqNI2hIk590rTJ4L3JTbHvcVJ/3+iSjfTrZAWe
MyRhDTKdmNqoI3MmG2k1t52YYftOM8HwrCmP6KaOqgplKWPg36Mu6PTM6HgYtkj5
j2Mg+Yptr9Q=
=QQmd
-----END PGP SIGNATURE-----
https://www.malwaredevil.com/2020/08/17/esb-2020-2821-debian-dovecot-denial-of-service-remote-unauthenticated/?utm_source=rss&utm_medium=rss&utm_campaign=esb-2020-2821-debian-dovecot-denial-of-service-remote-unauthenticated
No comments:
Post a Comment