Bug#979363: marked as done (dovecot: CVE-2020-24386 CVE-2020-25275)

Debian Bug Tracking System Mon, 25 Jan 2021 15:51:41 -0800

Your message dated Mon, 25 Jan 2021 23:48:33 +0000
with message-id <[email protected]>
and subject line Bug#979363: fixed in dovecot 1:2.3.13+dfsg1-1
has caused the Debian Bug report #979363,
regarding dovecot: CVE-2020-24386 CVE-2020-25275
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
979363: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=979363
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Source: dovecot
Version: 1:2.3.11.3+dfsg1-2
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Control: found -1 1:2.3.4.1-5+deb10u4
Control: fixed -1 1:2.3.4.1-5+deb10u5
Control: found -1 1:2.2.27-3+deb9u6
Control: fixed -1 1:2.2.27-3+deb9u7

Hi,

The following vulnerabilities were published for dovecot.

CVE-2020-24386[0]:
| An issue was discovered in Dovecot before 2.3.13. By using IMAP IDLE,
| an authenticated attacker can trigger unhibernation via attacker-
| controlled parameters, leading to access to other users' email
| messages (and path disclosure).


CVE-2020-25275[1]:
| Dovecot before 2.3.13 has Improper Input Validation in lda, lmtp, and
| imap, leading to an application crash via a crafted email message with
| certain choices for ten thousand MIME parts.


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2020-24386
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24386
[1] https://security-tracker.debian.org/tracker/CVE-2020-25275
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25275

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

Source: dovecot
Source-Version: 1:2.3.13+dfsg1-1
Done: Noah Meyerhans <[email protected]>

We believe that the bug you reported is fixed in the latest version of
dovecot, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Noah Meyerhans <[email protected]> (supplier of updated dovecot package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 25 Jan 2021 15:38:17 -0800
Source: dovecot
Architecture: source
Version: 1:2.3.13+dfsg1-1
Distribution: unstable
Urgency: medium
Maintainer: Dovecot Maintainers <[email protected]>
Changed-By: Noah Meyerhans <[email protected]>
Closes: 951869 969165 979363 979370
Changes:
 dovecot (1:2.3.13+dfsg1-1) unstable; urgency=medium
 .
   [ Christian Göttsche ]
   * [6829237] New upstream version 2.3.13 (Closes: #979363)
     - CVE-2020-24386: IMAP hibernation allows accessing other peoples mail
     - CVE-2020-25275: MIME parsing crashes with particular messages
 .
   * [6d25736] Add libzstd-dev to build-dependencies (Closes: #969165)
   * [5956798] Rebase patches
   * [2cb63c3] Bump to standards version 4.5.1 (no further changes)
   * [548bac5] Drop unmatched copyright src/lib-ntlm/* wildcard
   * [6f33f3f] Ignore package-contains-documentation-outside-usr-share-doc
     false-positives
   * [dde9c94] Handle removed configuration file in postinst
 .
   [ Pino Toscano ]
   * [04a60e3] d/{control,rules}: disable apparmor support on !linux archs
     (Closes: #951869)
 .
   [ Helmut Grohne ]
   * [e5f9fcb] d/patches: improve cross-compile support (Closes: #979370)
Checksums-Sha1:
 4788151e402b5a2e887cd6eb00d2ec6361c190e7 3991 dovecot_2.3.13+dfsg1-1.dsc
 5e7f9a892fe9fbf5108bf521b045bcbca3077168 1591484 
dovecot_2.3.13+dfsg1.orig-pigeonhole.tar.gz
 252dc597e8c4b4b0c016916415fec0f80be2facb 7456073 
dovecot_2.3.13+dfsg1.orig.tar.gz
 f3e4b27f65b3facc51098ff25b9f29a3cc7ff71f 866 
dovecot_2.3.13+dfsg1.orig.tar.gz.asc
 df2bbd0c79b3bc3cbe34d71dfba3799b12cc36c2 64676 
dovecot_2.3.13+dfsg1-1.debian.tar.xz
 25564b074d6ce68b1a88882f8fb91889c09a2cd1 7679 
dovecot_2.3.13+dfsg1-1_source.buildinfo
Checksums-Sha256:
 771585c1d64d2c3f94b5082d798c63185a1d8fdff938eb3a22aa377ec769dce3 3991 
dovecot_2.3.13+dfsg1-1.dsc
 9bbd31b3d0b3ae75060b961b6a8911f7371b0938630913f12604d97d05c912ff 1591484 
dovecot_2.3.13+dfsg1.orig-pigeonhole.tar.gz
 a3f875b80ec11a452480690108660030978c94fa8e796ad6d943a874b496f1c4 7456073 
dovecot_2.3.13+dfsg1.orig.tar.gz
 ef7653e5b866759bd94a94e758080025007bd502052705144ad8eae10e898f94 866 
dovecot_2.3.13+dfsg1.orig.tar.gz.asc
 dab856ae208fe56b22d13a67bdd424e7f7a9968a6cf235c8b4349c3b53692f1f 64676 
dovecot_2.3.13+dfsg1-1.debian.tar.xz
 c5b79025565b33271eaafefa5d54024b62041aabd0265e8c99dc02d4ae0ae6e6 7679 
dovecot_2.3.13+dfsg1-1_source.buildinfo
Files:
 a8b20e4eb40bbdfe97d7ea2e2ba7c65e 3991 mail optional dovecot_2.3.13+dfsg1-1.dsc
 06c2a85ac954d975d55dd559267f5277 1591484 mail optional 
dovecot_2.3.13+dfsg1.orig-pigeonhole.tar.gz
 f512bf1a4dac9ac994fddfb6bc5068ff 7456073 mail optional 
dovecot_2.3.13+dfsg1.orig.tar.gz
 6b2ac5dcaf0c24d3541077cd773cd498 866 mail optional 
dovecot_2.3.13+dfsg1.orig.tar.gz.asc
 ed2533866c229ab80f3052c33ceb92a2 64676 mail optional 
dovecot_2.3.13+dfsg1-1.debian.tar.xz
 0b27d7c4fb52191cae1a55751aabcd20 7679 mail optional 
dovecot_2.3.13+dfsg1-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJFBAEBCgAvFiEE65xaF5r2LDCTz+zyV68+Bn2yWDMFAmAPVyMRHG5vYWhtQGRl
Ymlhbi5vcmcACgkQV68+Bn2yWDPtcw/9FSjKxv1Ur1TAOqvr/wX+6FYAW0fnqDMh
JrmJVW4eboT6+DbzA7W3t5YJTmld7mAGB7hbIh3PG2mpfMpPeGF7egP+59qze6w8
ivJa48tPbqZBe0ATXq/HlcNYG4NwBm9+vObsG8h03tnA/dvvGUim+svTaHKwPyai
yyBDFnlVjk2L9MCT78mTJjoj6yrfruY9vfU8JtFATEw1kBv/a6gEkCeufmK6aRVg
hWHmbl3KhghvU/y2/fOtPodrb0DsLeKCjvqwqFANYp7AVptIqhu20MSkfYUmt6cZ
Zi6UqqcSP+kRmMJOrhfGkT23ST3ifOE0xmJqomw/H4xo7/qWXVa6WJ0VP6WQKiTk
rlgGhqbKGzKJKYnZscXxqUP5SYx805hqVRquQKJnBiu6CznfoOLo0+jtjq2jnp0w
5EhtlBjMgX5zPnh3IU3mVYHPBrLP9YqKKMDNjLMzauBxcTlAFlLj3wNS8jWyVxGA
AbrCXlbv26XgVvLN3ipfqfo4GDl48TJzKUYaUyhWAB6Oo5jcD8O9FSs/s8prcNxH
K7COlVK3WeNMVq+9ZIQjqa7OY4zdgKFkPyjnvlTWFuAvI82K8wrSAiyrVzYioInI
TBhx8ZDnakFwTYwhyEgmm7coJVL1pFhGhtYpqDPZyFtZ5pPi/Kz2kN721gl1XgWW
ueR7xQ7GzP8=
=UL5A
-----END PGP SIGNATURE-----

--- End Message ---

Bug#979363: marked as done (dovecot: CVE-2020-24386 CVE-2020-25275)

Reply via email to