Your message dated Wed, 10 Jun 2020 18:03:34 +0000 with message-id <e1jj54y-000ihr...@fasolo.debian.org> and subject line Bug#960963: fixed in dovecot 1:2.3.10.1+dfsg1-1 has caused the Debian Bug report #960963, regarding dovecot: CVE-2020-10957 CVE-2020-10958 CVE-2020-10967 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 960963: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=960963 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: dovecot Version: 1:2.3.7.2-1 Severity: grave Tags: security upstream Justification: user security hole Control: found -1 1:2.3.4.1-5+deb10u1 Control: found -1 1:2.3.2-1 Hi, The following vulnerabilities were published for dovecot. CVE-2020-10957[0]: | In Dovecot before 2.3.10.1, unauthenticated sending of malformed | parameters to a NOOP command causes a NULL Pointer Dereference and | crash in submission-login, submission, or lmtp. CVE-2020-10958[1]: | In Dovecot before 2.3.10.1, a crafted SMTP/LMTP message triggers an | unauthenticated use-after-free bug in submission-login, submission, or | lmtp, and can lead to a crash under circumstances involving many | newlines after a command. CVE-2020-10967[2]: | In Dovecot before 2.3.10.1, remote unauthenticated attackers can crash | the lmtp or submission process by sending mail with an empty | localpart. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-10957 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10957 [1] https://security-tracker.debian.org/tracker/CVE-2020-10958 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10958 [2] https://security-tracker.debian.org/tracker/CVE-2020-10967 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10967 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: dovecot Source-Version: 1:2.3.10.1+dfsg1-1 Done: Noah Meyerhans <no...@debian.org> We believe that the bug you reported is fixed in the latest version of dovecot, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 960...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Noah Meyerhans <no...@debian.org> (supplier of updated dovecot package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Wed, 10 Jun 2020 10:41:37 -0700 Source: dovecot Architecture: source Version: 1:2.3.10.1+dfsg1-1 Distribution: unstable Urgency: medium Maintainer: Dovecot Maintainers <dove...@packages.debian.org> Changed-By: Noah Meyerhans <no...@debian.org> Closes: 960963 Changes: dovecot (1:2.3.10.1+dfsg1-1) unstable; urgency=medium . * New upstream release addresses multiple security issues - CVE-2020-10957 - CVE-2020-10958 - CVE-2020-10967 (Closes: #960963) * Refresh patches * Strip non-DFSG-compliant docs from .orig archives * Incorporate a number of improvements to debian/ metadata contributed by Christian Göttsche <cgzo...@googlemail.com> * Add no...@debian.org to Uploaders * Work around flakiness in autopkgtest suite * Suppress library-not-linked-against-libc lintian warnings some plugins as false-positives Checksums-Sha1: 9d07f495c47cb7b107a39a8fd7a5ac71655ce34b 3696 dovecot_2.3.10.1+dfsg1-1.dsc af67a770b536f7abbcb8b3fefbf43a46dd771308 874992 dovecot_2.3.10.1+dfsg1.orig-pigeonhole.tar.xz 7bd4f98aec6f2e2d335288d520baff6584173d3a 4290460 dovecot_2.3.10.1+dfsg1.orig.tar.xz 6588a1a600d631b87d8fd681c7567831effec425 57356 dovecot_2.3.10.1+dfsg1-1.debian.tar.xz ab144f345a8812410d1dd6aeddf7a5a1fee4d5cd 8075 dovecot_2.3.10.1+dfsg1-1_source.buildinfo Checksums-Sha256: 5c9667c6aabe92cd34d51249e38fb679aa723131ea61d6e38f8cfe6a19b63a7a 3696 dovecot_2.3.10.1+dfsg1-1.dsc 6db82a650d9579aa729bd7cd1b410942b329c7c6166af67e1f1c0e4ea877ff3f 874992 dovecot_2.3.10.1+dfsg1.orig-pigeonhole.tar.xz 8d07fa6bda091d2865e385cff08cb8bd076bcb459d88c2f84bb6282694a203e7 4290460 dovecot_2.3.10.1+dfsg1.orig.tar.xz 706147dff6edc12637527fdc9066f4929362b0fa37933b166c22248f29871d45 57356 dovecot_2.3.10.1+dfsg1-1.debian.tar.xz 0c5f31073480d7e4bca1e41ed5e4b544603fe4301aa52281840e11650fe23d6a 8075 dovecot_2.3.10.1+dfsg1-1_source.buildinfo Files: 7fc78a382ec049956078bf875ff2898d 3696 mail optional dovecot_2.3.10.1+dfsg1-1.dsc ecd7c9473a1ac47a55891eed6fdc228a 874992 mail optional dovecot_2.3.10.1+dfsg1.orig-pigeonhole.tar.xz 38c14be1ed18846b0c0119a761b52bae 4290460 mail optional dovecot_2.3.10.1+dfsg1.orig.tar.xz 6b3cfd073ef6e112ea0e90c3a9c54fe5 57356 mail optional dovecot_2.3.10.1+dfsg1-1.debian.tar.xz cd07ed396bf9906b2184e1569e3b824d 8075 mail optional dovecot_2.3.10.1+dfsg1-1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQJFBAEBCgAvFiEE65xaF5r2LDCTz+zyV68+Bn2yWDMFAl7hHv4RHG5vYWhtQGRl Ymlhbi5vcmcACgkQV68+Bn2yWDNNlg/+NjjFyVwV0vEOxKI3jnAgvy8RIPmK/kqE /KWTUk5hCdHG4lEKaoTqiIuAyJLetjAQZyKOf5ifCzYzuYg9x+/xyOSoWR9K5RC8 E+XeX4+nv+t13/G2Q9RS44QOWItpQK0mEMFiR8fACFVL8w+3iTTa9AXD7uX2ZN9p S2YXoVkVE11gTsEVbCI+f1d13O8cNRnmm24NeOMC0neNXwgL2HHsNB1UmPQ8u0tl vXkBnN5Y14ijRLtqzUgV5yFWvfl1x7AZMF2zVxYdTPDE00OvufKtVyI4NxcQ9PKY kIM4+/K0pg5sJCscjkm3PeqUvU08fgPI+hupBbKrYXXN/mcLYoV0pl0/dO8/KJHq NN39SuwSAyqotq1/W+Ol3V/EurVgf8aOsf56L7PSVSyU/lzlvc0vvL62YtYGeBwO CGzUvCnRFfWko7cizobVBbz9CdapdiidS0kXIWeNJDyCwS6JnEP9StRkShd/X0VL TXU+1+J6gL148E7y2kl7qIy3vb5ectR+MX9B4LxUdJIpgx84PrUVzIGa8wSltiVS t6SFSj7I6BwrkbJ7pzDGw/pMUZO8XbttQO1GH/hbG0D9BjgEfbvq904gZquUAPyZ HUTG4hv1SnsxYrH0qNaP+ufgC2sNOTZ5MdfC/AU6ugnv4lNyqJzlAqSR/rmW4O5W /0RnDaobLao= =IC5P -----END PGP SIGNATURE-----
--- End Message ---
