Your message dated Fri, 14 Aug 2020 00:18:33 +0000
with message-id <e1k6nqx-0004aw...@fasolo.debian.org>
and subject line Bug#968302: fixed in dovecot 1:2.3.11.3+dfsg1-1
has caused the Debian Bug report #968302,
regarding src:dovecot: multiple dovecot CVEs
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
968302: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=968302
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: src:dovecot
Version: 1:2.3.10.1+dfsg1-2
Severity: grave
Tags: security bullseye sid
Justification: user security hole
Multiple security issues have been identified in dovecot. These were addressed
in stable with dovecot 1:2.3.4.1-5+deb10u3 (DSA 4745-1), but need to be tracked
in unstable and testing.
>From the DSA:
CVE-2020-12100
Receiving mail with deeply nested MIME parts leads to resource
exhaustion as Dovecot attempts to parse it.
CVE-2020-12673
Dovecot's NTLM implementation does not correctly check message
buffer size, which leads to a crash when reading past allocation.
CVE-2020-12674
Dovecot's RPA mechanism implementation accepts zero-length message,
which leads to assert-crash later on.
--- End Message ---
--- Begin Message ---
Source: dovecot
Source-Version: 1:2.3.11.3+dfsg1-1
Done: Noah Meyerhans <no...@debian.org>
We believe that the bug you reported is fixed in the latest version of
dovecot, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 968...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Noah Meyerhans <no...@debian.org> (supplier of updated dovecot package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 13 Aug 2020 16:21:24 -0700
Source: dovecot
Architecture: source
Version: 1:2.3.11.3+dfsg1-1
Distribution: unstable
Urgency: high
Maintainer: Dovecot Maintainers <dove...@packages.debian.org>
Changed-By: Noah Meyerhans <no...@debian.org>
Closes: 968302
Changes:
dovecot (1:2.3.11.3+dfsg1-1) unstable; urgency=high
.
* New upstream release fixes security issues (Closes: #968302)
- CVE-2020-12100 - Receiving mail with deeply nested MIME parts leads to
resource exhaustion as Dovecot attempts to parse it.
- CVE-2020-12673 - Dovecot's NTLM implementation does not correctly check
message buffer size, which leads to reading past allocation which can
lead to crash.
- CVE-2020-12674 - Dovecot's RPA mechanism implementation accepts
zero-length message, which leads to assert-crash later on.
* Add libcap-dev to build-dependencies to support dropping linux
capabilities.
Checksums-Sha1:
0d8377d47def44b0c96e02f9aca91bf4862d26f4 3980 dovecot_2.3.11.3+dfsg1-1.dsc
24320f66d1b7dacf88e72bc941647e8bb65f1a70 1582932
dovecot_2.3.11.3+dfsg1.orig-pigeonhole.tar.gz
4a094ae503ded8ccea97cc06680fbb2e0f9c3171 7353412
dovecot_2.3.11.3+dfsg1.orig.tar.gz
b2a229e4fcd7df6b3e8bdcaf7b58f174069c8df6 866
dovecot_2.3.11.3+dfsg1.orig.tar.gz.asc
f1b6fefca1e22c9397d5708307d73ae62860b90d 60412
dovecot_2.3.11.3+dfsg1-1.debian.tar.xz
8cc56df2aae07cb936967ceaf4f0316e312ff8b1 7777
dovecot_2.3.11.3+dfsg1-1_source.buildinfo
Checksums-Sha256:
84df09ca5b96968daf4b0e3df31c2c5a2e0733f27b2c25b83d2708dcf346878d 3980
dovecot_2.3.11.3+dfsg1-1.dsc
73ffc0cff40b768f8dcf772957b58f3fe8b4a740ffe6fb6e9e66093aec41bc1c 1582932
dovecot_2.3.11.3+dfsg1.orig-pigeonhole.tar.gz
d3d9ea9010277f57eb5b9f4166a5d2ba539b172bd6d5a2b2529a6db524baafdc 7353412
dovecot_2.3.11.3+dfsg1.orig.tar.gz
fd73852972032af5e9b25992d94736d18460938ed21b9b6b10c9f77b5468ff89 866
dovecot_2.3.11.3+dfsg1.orig.tar.gz.asc
9e3c79b6f5555491bb9708eaa8596ee7d26da42ee7c6cca113b3fb18c4f61a1e 60412
dovecot_2.3.11.3+dfsg1-1.debian.tar.xz
19af65428bf9886b2536e71a6469af869f45eac9cd01cd140d267559d4960632 7777
dovecot_2.3.11.3+dfsg1-1_source.buildinfo
Files:
ee0cfbf3b7b42dec12dda382a603064b 3980 mail optional
dovecot_2.3.11.3+dfsg1-1.dsc
5cf3c6d6f7a65a08776d236818936e11 1582932 mail optional
dovecot_2.3.11.3+dfsg1.orig-pigeonhole.tar.gz
f06f2272fad04e7b0207f8d00a291f66 7353412 mail optional
dovecot_2.3.11.3+dfsg1.orig.tar.gz
4310c7dff06239a534c731d5fc9ea7b0 866 mail optional
dovecot_2.3.11.3+dfsg1.orig.tar.gz.asc
8eaa02a319a54438b07a8c297d0fc49d 60412 mail optional
dovecot_2.3.11.3+dfsg1-1.debian.tar.xz
b353d7a725e5376fd0e4dfadf4ec318b 7777 mail optional
dovecot_2.3.11.3+dfsg1-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJFBAEBCgAvFiEE65xaF5r2LDCTz+zyV68+Bn2yWDMFAl811ikRHG5vYWhtQGRl
Ymlhbi5vcmcACgkQV68+Bn2yWDO0pg//a5QwNhaON3DkS2sxffD3bHmCD9rthQ+s
UzD022AiHAKrZv7aGCkppHC3pjEPv13uYk1Vz0TbLsi9b9yqhaW7E3xLd3evzZhw
F8+A4dDDQ3YfXm1KnIXVoXZ3kgBB7bR58FiHA3ca2gULIU9nyCZAU5zVaB485EcE
gfkVi84R1ZLaAUq4Csp4ibcRN11svPvDQ1cGYTI7NmTnHMVmOuRBJGxQHXqkAk+R
dOl9omKS/MyKtPX9ecHVUjY8VgnQl6u5ws0ayHALWSSx4gh15Hp1ZaREHY59rs+M
Q59WNQOuRENfYrAZBvpKF5H0aVM7K/NKhJn40YKAgqVFpzDj4ey2UEKpqkl5rat5
FLsY1sLmr4hXD0m/cChM92WSMGveu/hB0p1F0ihre4JFaS4ZSJlIKk/mQ/881tLr
JIpJVPu5PUCbGEtSYW/5MDIL+QFRveAwjYOZqbTbzQIkAiJdTCWWgfxocg75ij6B
QavCvD9XAh/o6wHeeI5AJ/x+yZLf1SNzMViL6oPWsU4RyP8TLcQjhCHwQUEf851Q
2Qg0+DtFMY+NfQR0aYSAnOOdO8obAnSGTmnWxguCrxWkEomFQs9KcB/mH7vEzCxE
xOwVpKqOB/aJXCUeqExVAp/YVuvmCB6Z218CEKBR9YgVdULg1QFslP20H4EPHDrO
c1bmhkrQm0c=
=GDME
-----END PGP SIGNATURE-----
--- End Message ---
