Mailcow-dockerized: Container update: CVE-2020-13777 in gnutls

Created on 11 Jun 2020  Ā·  3Comments  Ā·  Source: mailcow/mailcow-dockerized

At the very least, the most recent dovecot container contains a vulnerable gnutls version, fix is in 3.6.7-4+deb10u4:

āÆ docker run -it --entrypoint /bin/bash mailcow/dovecot:1.126
root@82ea68e430f6:/# dpkg -l | grep gnutls
ii  libgnutls30:amd64             3.6.7-4+deb10u3              amd64        GNU TLS library - main runtime library

Would be cool to get updated container(s). Thanks!

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13777
https://www.debian.org/security/2020/dsa-4697

picture a3li
👍3

Most helpful comment

Thanks for reporting. The library is actually installed inside most of our containers:

  • rspamd
  • dovecot
  • postfix
  • phpfpm
  • mariadb
  • sogo
  • clamd
  • solr
  • unbound

Looking through them however, GnuTLS is exclusively used as a client library (e.g. by apt, gnupg, curl, dovecot-ldap, dovecot-mysql, postfix-mysql, sogo, wget). Our public-facing TLS servers (Postfix, Dovecot, Nginx) use OpenSSL and are thus safe.

The GnuTLS developers say

This caused the TLS server to not securely construct a session ticket encryption key considering the application supplied secret, allowing a MitM attacker [...]

So only servers need to immediately update to mitigate a security issue. Mailcow is not affected.

picture mkuron on 11 Jun 2020
👍3

All 3 comments

Thanks for reporting. The library is actually installed inside most of our containers:

  • rspamd
  • dovecot
  • postfix
  • phpfpm
  • mariadb
  • sogo
  • clamd
  • solr
  • unbound

Looking through them however, GnuTLS is exclusively used as a client library (e.g. by apt, gnupg, curl, dovecot-ldap, dovecot-mysql, postfix-mysql, sogo, wget). Our public-facing TLS servers (Postfix, Dovecot, Nginx) use OpenSSL and are thus safe.

The GnuTLS developers say

This caused the TLS server to not securely construct a session ticket encryption key considering the application supplied secret, allowing a MitM attacker [...]

So only servers need to immediately update to mitigate a security issue. Mailcow is not affected.

mkuron picture mkuron on 11 Jun 2020
👍3

And thanks for checking! The reason I filed this is the press (Heiseā€¦) citing Dovecot as being affected.

Since you left the issue open, I guess I'll leave it as such for your delayed closing pleasure. :)

a3li picture a3li on 11 Jun 2020

Iā€˜ll leave it open for a few more days so people see it and donā€˜t open a new issue for the same CVE.

mkuron picture mkuron on 11 Jun 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

phipag picture phipag  Ā·  3Comments
bonanza123 picture bonanza123  Ā·  3Comments
schoebelh picture schoebelh  Ā·  3Comments
thannaske picture thannaske  Ā·  3Comments
lgleim picture lgleim  Ā·  3Comments