** Description changed: - There is a new minor/security patch for Dovecot, to mitigate the two DoS - vulnerabilities. The fix should be merged into the supported Ubuntu - version packages. + [ Impact ] + + - CVE-2024-23184: A large number of address headers in email resulted + in excessive CPU usage. + - CVE-2024-23185: Abnormally large email headers are now truncated or + discarded, with a limit of 10MB on a single header and 50MB for all + the headers of all the parts of an email. + + [ FFE ] + + Upstream changes (From 1:2.3.21): + - CVE-2024-23184: A large number of address headers in email resulted + in excessive CPU usage. + - CVE-2024-23185: Abnormally large email headers are now truncated or + discarded, with a limit of 10MB on a single header and 50MB for all + the headers of all the parts of an email. + - oauth2: Dovecot would send client_id and client_secret as POST parameters + to introspection server. These need to be optionally in Basic auth + instead as required by OIDC specification. + - oauth2: JWT key type check was too strict. + - oauth2: JWT token audience was not validated against client_id as + required by OIDC specification. + - oauth2: XOAUTH2 and OAUTHBEARER mechanisms were not giving out + protocol specific error message on all errors. This broke OIDC discovery. + - oauth2: JWT aud validation was not performed if aud was missing + from token, but was configured on Dovecot. + + + Debian changes (1:2.3.21+dfsg1-3): + [ Noah Meyerhans ] + * [452a10b] Move systemd unit files to /usr (Closes: #1071915) + + [ Niels Thykier ] + * [a9caf51] Avoid unnecessary implicit requirement for `(fake)root` + + [ Christian Göttsche ] + * [8c253d1] salsa-ci: enable build_twice job + * [47122cd] Bump to standards version 4.7.0 (no further changes) + * [4062094] Replace obsolete build-dependency pkg-config with pkgconf + * [f1221b8] Split overlong line in changelog + * [dd876aa] Annotate Debian patches + * [590287e] Fix typos in changelog + + [ Noah Meyerhans ] + * [a212eb8] New upstream version 2.3.21.1+dfsg1 + - Fix CVE-2024-23184 (Closes: #1078876) + - Fix CVE-2024-23185 (Closes: #1078877) + + [ Building ] + + Build for Oracular is located at [0]. + + [ Testing ] + + (1) Autopkgtest was ran in test PPA[0]. + + * Results: + - dovecot/1:2.3.21.1+dfsg1-1ubuntu1~oracular1 + + ✅ dovecot on oracular for amd64 @ 24.08.24 20:40:26 + • Log: https://autopkgtest.ubuntu.com/results/autopkgtest-oracular-mitchdz-dovecot-security-lp2077324/oracular/amd64/d/dovecot/20240824_204026_e13fe@/log.gz + + ✅ dovecot on oracular for arm64 @ 24.08.24 20:41:12 + • Log: https://autopkgtest.ubuntu.com/results/autopkgtest-oracular-mitchdz-dovecot-security-lp2077324/oracular/arm64/d/dovecot/20240824_204112_b228a@/log.gz + + ✅ dovecot on oracular for armhf @ 24.08.24 20:51:15 + • Log: https://autopkgtest.ubuntu.com/results/autopkgtest-oracular-mitchdz-dovecot-security-lp2077324/oracular/armhf/d/dovecot/20240824_205115_7b62a@/log.gz + + ❌ dovecot on oracular for i386 @ 24.08.24 20:54:30 + • Log: https://autopkgtest.ubuntu.com/results/autopkgtest-oracular-mitchdz-dovecot-security-lp2077324/oracular/i386/d/dovecot/20240824_205430_e8c0c@/log.gz + • Status: FAIL + • doveadm FAIL 🟥 + • systemd FAIL 🟥 + • command1 FAIL 🟥 + • testmails FAIL 🟥 + + ✅ dovecot on oracular for ppc64el @ 24.08.24 20:43:19 + • Log: https://autopkgtest.ubuntu.com/results/autopkgtest-oracular-mitchdz-dovecot-security-lp2077324/oracular/ppc64el/d/dovecot/20240824_204319_688ab@/log.gz + + ✅ dovecot on oracular for s390x @ 24.08.24 20:40:12 + • Log: https://autopkgtest.ubuntu.com/results/autopkgtest-oracular-mitchdz-dovecot-security-lp2077324/oracular/s390x/d/dovecot/20240824_204012_068e1@/log.gz + + i386 is known to fail and has never passed before[1]. + + (2) Test install + $ lxc launch ubuntu-daily:oracular o-vm --vm + $ lxc shell o-vm + # apt update -y && apt upgrade -y + # add-apt-repository ppa:mitchdz/dovecot-security-lp2077324 + # apt install -y dovecot-core + # dpkg -s dovecot-core | grep Version: + Version: 1:2.3.21.1+dfsg1-1ubuntu1~oracular1 + # systemctl status dovecot |grep Active -B 3 + ● dovecot.service - Dovecot IMAP/POP3 email server + Loaded: loaded (/usr/lib/systemd/system/dovecot.service; enabled; preset: enabled) + Active: active (running) since Tue 2024-08-27 19:32:25 UTC; 2min 0s ago + + + (3) Test upgrade from Noble + # dpkg -s dovecot-core | grep Version: + Version: 1:2.3.21+dfsg1-2ubuntu5 + # apt install -y dovecot-core + # dpkg -s dovecot-core | grep Version: + Version: 1:2.3.21.1+dfsg1-1ubuntu1~oracular1 + # systemctl status dovecot |grep Active -B 3 + ● dovecot.service - Dovecot IMAP/POP3 email server + Loaded: loaded (/usr/lib/systemd/system/dovecot.service; enabled; preset: enabled) + Active: active (running) since Tue 2024-08-27 19:38:40 UTC; 24s ago + + + [0] - https://launchpad.net/~mitchdz/+archive/ubuntu/dovecot-security-lp2077324 + [1] - https://autopkgtest.ubuntu.com/packages/dovecot
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2077324 Title: [FFE] CVE-2024-23184/CVE-2024-23185 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dovecot/+bug/2077324/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
