[SECURITY] Fedora 33 Update: dovecot-2.3.11.3-5.fc33

-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2020-b8ebc4201e 2020-09-25 16:31:57.888497 -------------------------------------------------------------------------------- Name : dovecot Product : Fedora 33 Version : 2.3.11.3 Release : 5.fc33 URL : http://www.dovecot.org/ Summary : Secure imap and pop3 server Description : Dovecot is an IMAP server for Linux/UNIX-like systems, written with security primarily in mind. It also contains a small POP3 server. It supports mail in either of maildir or mbox formats. The SQL drivers and authentication plug-ins are in their subpackages. -------------------------------------------------------------------------------- Update Information: CVE-2020-12100: Parsing mails with a large number of MIME parts could have resulted in excessive CPU usage or a crash due to running out of stack memory. CVE-2020-12673: Dovecot's NTLM implementation does not correctly check message buffer size, which leads to reading past allocation which can lead to crash. CVE-2020-10967: lmtp/submission: Issuing the RCPT command with an address that has the empty quoted string as local-part causes the lmtp service to crash. CVE-2020-12674: Dovecot's RPA mechanism implementation accepts zero-length message, which leads to assert-crash later on. -------------------------------------------------------------------------------- ChangeLog: * Wed Sep 2 2020 Michal Hlavinka <mhlavink(a)redhat.com&gt; - 1:2.3.11.3-5 - fix gssapi issue * Wed Aug 26 2020 Michal Hlavinka <mhlavink(a)redhat.com&gt; - 1:2.3.11.3-4 - fix FTBFS on 32bit systems * Mon Aug 17 2020 Jeff Law <law(a)redhat.com&gt; - 1:2.3.11.3-2 - Disable LTO * Sat Aug 15 2020 Michal Hlavinka <mhlavink(a)redhat.com&gt; - 1:2.3.11.3-1 - CVE-2020-12100: Parsing mails with a large number of MIME parts could have resulted in excessive CPU usage or a crash due to running out of stack memory. - CVE-2020-12673: Dovecot's NTLM implementation does not correctly check message buffer size, which leads to reading past allocation which can lead to crash. - CVE-2020-10967: lmtp/submission: Issuing the RCPT command with an address that has the empty quoted string as local-part causes the lmtp service to crash. - CVE-2020-12674: Dovecot's RPA mechanism implementation accepts zero-length message, which leads to assert-crash later on. * Sat Aug 1 2020 Fedora Release Engineering <releng(a)fedoraproject.org&gt; - 1:2.3.10.1-3 - Second attempt - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild * Mon Jul 27 2020 Fedora Release Engineering <releng(a)fedoraproject.org&gt; - 1:2.3.10.1-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild -------------------------------------------------------------------------------- References: [ 1 ] Bug #1868539 - CVE-2020-12100 dovecot: Resource exhaustion via deeply nested MIME parts [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1868539 [ 2 ] Bug #1868540 - CVE-2020-12673 dovecot: Out of bound reads in dovecot NTLM implementation [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1868540 [ 3 ] Bug #1868541 - CVE-2020-12674 dovecot: Crash due to assert in RPA implementation [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1868541 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2020-b8ebc4201e' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys --------------------------------------------------------------------------------