Debian Security Advisory
DSA-4745-1 dovecot -- security update
- Date Reported:
- 12 Aug 2020
- Affected Packages:
- Security database references:
- In Mitre's CVE dictionary: CVE-2020-12100, CVE-2020-12673, CVE-2020-12674.
- More information:
Several vulnerabilities have been discovered in the Dovecot email server.
Receiving mail with deeply nested MIME parts leads to resource exhaustion as Dovecot attempts to parse it.
Dovecot's NTLM implementation does not correctly check message buffer size, which leads to a crash when reading past allocation.
Dovecot's RPA mechanism implementation accepts zero-length message, which leads to assert-crash later on.
For the stable distribution (buster), these problems have been fixed in version 1:18.104.22.168-5+deb10u3.
We recommend that you upgrade your dovecot packages.
For the detailed security status of dovecot please refer to its security tracker page at: https://security-tracker.debian.org/tracker/dovecot