FEDORA-2020-d737c57172 created by mhlavink 8 months ago for Fedora 32
stable
CVE-2020-12100: Parsing mails with a large number of MIME parts could
  have resulted in excessive CPU usage or a crash due to running out of
  stack memory.
CVE-2020-12673: Dovecot's NTLM implementation does not correctly check
  message buffer size, which leads to reading past allocation which can
  lead to crash.
CVE-2020-10967: lmtp/submission: Issuing the RCPT command with an
  address that has the empty quoted string as local-part causes the lmtp
  service to crash.
CVE-2020-12674: Dovecot's RPA mechanism implementation accepts
  zero-length message, which leads to assert-crash later on.

How to install

sudo dnf upgrade --advisory=FEDORA-2020-d737c57172

This update has been submitted for testing by mhlavink.

8 months ago

This update's test gating status has been changed to 'ignored'.

8 months ago

This update's test gating status has been changed to 'waiting'.

8 months ago

This update's test gating status has been changed to 'ignored'.

8 months ago

This update has been pushed to testing.

8 months ago
User Icon bojan commented & provided feedback 8 months ago

Hmm, appears to have broken GSSAPI authentication. Still testing.

User Icon bojan commented & provided feedback 8 months ago
karma

Yep, GSSAPI authentication broken. Reverting to previous dovecot immediately restores it.

Bodhi is disabling automatic push to stable due to negative karma. The maintainer may push manually if they determine that the issue is not severe.

8 months ago

This update can be pushed to stable now if the maintainer wishes

7 months ago

mhlavink edited this update.

New build(s):

  • dovecot-2.3.11.3-5.fc32

Removed build(s):

  • dovecot-2.3.11.3-4.fc32

Karma has been reset.

7 months ago

This update has been submitted for testing by mhlavink.

7 months ago
User Icon bojan commented & provided feedback 7 months ago
karma

Works, including gssapi authentication.

This update has been pushed to testing.

7 months ago

This update can be pushed to stable now if the maintainer wishes

7 months ago
User Icon ibims provided feedback 7 months ago
karma
User Icon pgfed provided feedback 7 months ago
karma
User Icon pgfed commented & provided feedback 6 months ago

can this be pushed to release?

or is there specific add'l testing needed?

This update has been submitted for stable by mhlavink.

6 months ago

This update has been pushed to stable.

6 months ago

Please login to add feedback.

Metadata
Type
security
Severity
high
Karma
3
Signed
Content Type
RPM
Test Gating
Settings
Unstable by Karma
-3
Stable by Karma
disabled
Stable by Time
disabled
Dates
submitted
8 months ago
in testing
7 months ago
in stable
6 months ago
modified
7 months ago
BZ#1868539 CVE-2020-12100 dovecot: Resource exhaustion via deeply nested MIME parts [fedora-all]
0
0
BZ#1868540 CVE-2020-12673 dovecot: Out of bound reads in dovecot NTLM implementation [fedora-all]
0
0
BZ#1868541 CVE-2020-12674 dovecot: Crash due to assert in RPA implementation [fedora-all]
0
0

Automated Test Results