Debian Security Advisory
DLA-2328-1 dovecot -- LTS security update
- Date Reported:
- 15 Aug 2020
- Affected Packages:
- Security database references:
- In the Debian bugtracking system: Bug 968302.
In Mitre's CVE dictionary: CVE-2020-12100, CVE-2020-12673, CVE-2020-12674.
- More information:
Several vulnerabilities have been discovered in the Dovecot email server.
Receiving mail with deeply nested MIME parts leads to resource exhaustion as Dovecot attempts to parse it.
Dovecot's NTLM implementation does not correctly check message buffer size, which leads to a crash when reading past allocation.
Dovecot's RPA mechanism implementation accepts zero-length message, which leads to assert-crash later on.
For Debian 9 stretch, these problems have been fixed in version 1:2.2.27-3+deb9u6.
We recommend that you upgrade your dovecot packages.
For the detailed security status of dovecot please refer to its security tracker page at: https://security-tracker.debian.org/tracker/dovecot
Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS