Skip to content
GitLab
Projects Groups Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Register
  • Sign in
  • Adélie Package Tree Adélie Package Tree
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Graph
    • Compare
  • Issues 161
    • Issues 161
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 17
    • Merge requests 17
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Wiki
    • Wiki
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • Adélie LinuxAdélie Linux
  • Adélie Package TreeAdélie Package Tree
  • Issues
  • #344
Closed
Open
Issue created Aug 13, 2020 by Emily@emily🤖

user/dovecot: multiple vulnerabilities

Bugzilla ID 344
Alias(es) CVE-2020-12100, CVE-2020-12673, CVE-2020-12674
Reporter Max Rees (sroracle)
Assignee Lee Starnes
Reported 2020-08-13 16:21:45 -0500
Modified 2020-09-16 22:18:39 -0500
Status RESOLVED FIXED
Version 1.0-RC1
Hardware Adélie Linux / All
Importance --- / normal
Package(s) user/dovecot

Description

CVE-2020-12100: https://www.openwall.com/lists/oss-security/2020/08/12/1

Vulnerability Details:
Receiving mail with deeply nested MIME parts leads to resource
exhaustion as Dovecot attempts to
parse it.

Risk:
Malicious actor can cause denial of service to mail delivery by
repeatedly sending mails with bad
content.
Fixed in >= 2.3.11.3

CVE-2020-12673: https://www.openwall.com/lists/oss-security/2020/08/12/2

Vulnerability Details:
Dovecot's NTLM implementation does not correctly check message buffer
size, which leads to reading past allocation which can lead to crash.

Risk:
An adversary can use this vulnerability to crash dovecot auth process
repeatedly, preventing login.
Fixed in >= 2.3.11.3

CVE-2020-12674: https://www.openwall.com/lists/oss-security/2020/08/12/3

Vulnerability Details:
Dovecot's RPA mechanism implementation accepts zero-length message,
which leads to assert-crash later on

Risk:
An adversary can use this vulnerability to crash dovecot auth process
repeatedly, preventing login.
Fixed in >= 2.3.11.3

Assignee
Assign to
Time tracking