Docker-mailserver: Bump Dovecot version, vulnerables found
https://dovecot.org/pipermail/dovecot-news/2020-May/000438.html
- CVE-2020-10957 - could crash
- CVE-2020-10958 - could crash or lead to rce
- CVE-2020-10967 - could crash, but requires credentials
landergate
All 4 comments
It seems debian security team has not fixed yet... https://lists.debian.org/debian-security-announce/2020/threads.html
EDIT: Bug reference https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=960963
youtous
on 18 May 2020
Thanks for reporting @landergate. We should fix this as soon as there is an update from Debian.
erik-wramner
on 19 May 2020
Debian security team just fixed it
Debian Security Advisory DSA-4690-1 [email protected]
Package : dovecot
CVE ID : CVE-2020-10957 CVE-2020-10958 CVE-2020-10967
Debian Bug : 960963Several vulnerabilities were discovered in the Dovecot email server,
which could cause crashes in the submission, submission-login or lmtp
services, resulting in denial of service.For the stable distribution (buster), these problems have been fixed in
version 1:2.3.4.1-5+deb10u2.
@erik-wramner can you trigger a new build? thank you :)
youtous
on 20 May 2020
Done. Unfortunately I can't trigger builds (@tomav I used to be able to do that?), so I did a nonsense commit to master. I will also update stable as soon as the tests complete and release a new numbered release ASAP.
erik-wramner
on 21 May 2020
Related issues
Hamsterman
路
3Comments
Dubbeldrank
路
4Comments
cottonthread
路
4Comments
phish108
路
5Comments
ShuP1
路
4Comments
Most helpful comment
Done. Unfortunately I can't trigger builds (@tomav I used to be able to do that?), so I did a nonsense commit to master. I will also update stable as soon as the tests complete and release a new numbered release ASAP.