Your message dated Fri, 22 May 2020 17:02:28 +0000 with message-id <e1jcb40-0001hd...@fasolo.debian.org> and subject line Bug#960963: fixed in dovecot 1:2.3.4.1-5+deb10u2 has caused the Debian Bug report #960963, regarding dovecot: CVE-2020-10957 CVE-2020-10958 CVE-2020-10967 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 960963: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=960963 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: dovecot Version: 1:2.3.7.2-1 Severity: grave Tags: security upstream Justification: user security hole Control: found -1 1:2.3.4.1-5+deb10u1 Control: found -1 1:2.3.2-1 Hi, The following vulnerabilities were published for dovecot. CVE-2020-10957[0]: | In Dovecot before 2.3.10.1, unauthenticated sending of malformed | parameters to a NOOP command causes a NULL Pointer Dereference and | crash in submission-login, submission, or lmtp. CVE-2020-10958[1]: | In Dovecot before 2.3.10.1, a crafted SMTP/LMTP message triggers an | unauthenticated use-after-free bug in submission-login, submission, or | lmtp, and can lead to a crash under circumstances involving many | newlines after a command. CVE-2020-10967[2]: | In Dovecot before 2.3.10.1, remote unauthenticated attackers can crash | the lmtp or submission process by sending mail with an empty | localpart. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-10957 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10957 [1] https://security-tracker.debian.org/tracker/CVE-2020-10958 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10958 [2] https://security-tracker.debian.org/tracker/CVE-2020-10967 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10967 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: dovecot Source-Version: 1:2.3.4.1-5+deb10u2 Done: Salvatore Bonaccorso <car...@debian.org> We believe that the bug you reported is fixed in the latest version of dovecot, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 960...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso <car...@debian.org> (supplier of updated dovecot package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 18 May 2020 22:09:08 +0200 Source: dovecot Architecture: source Version: 1:2.3.4.1-5+deb10u2 Distribution: buster-security Urgency: high Maintainer: Dovecot Maintainers <dove...@packages.debian.org> Changed-By: Salvatore Bonaccorso <car...@debian.org> Closes: 960963 Changes: dovecot (1:2.3.4.1-5+deb10u2) buster-security; urgency=high . * Non-maintainer upload by the Security Team. * Apply upstream fixes for CVE-2020-10957, CVE-2020-10958 and CVE-2020-10967 (Closes: #960963) - lib-smtp: smtp-server-cmd-vrfy - Restructure parameter parsing. - lib-smtp: smtp-syntax - Do not allow NULL return parameters for smtp_string_parse(). - lib-smtp: smtp-syntax - Do not allow NULL return parameters for smtp_xtext_parse(). - lib-smtp: syntax: Fix smtp_ehlo_line_parse() to also record the last parameter. - lib-smtp: smtp-syntax - Do not allow NULL return parameters for smtp_ehlo_line_parse(). - lib-smtp: smtp-syntax - Return 0 for smtp_string_parse() with empty input. - lib-smtp: Add tests for smtp_string_parse() and smtp_string_write(). - lib-smtp: test-smtp-server-errors - Add tests for VRFY and NOOP commands with invalid parameters. - lib-smtp: server: command: Move core of smtp_server_command_submit_reply() into a separate function. - lib-smtp: smtp-server-command - Assign cmd->reg immediately. - lib-smtp: smtp-server-command - Guarantee that non-destroy hooks aren't called for an ended command. - lib-smtp: smtp-server-command - Perform initial command execution in separate function. - lib-smtp: smtp-server-connection - Hold a command reference while executing a command. - lib-smtp: test-smtp-server-errors - Add tests for large series of empty and bad commands. - lib-smtp: smtp-address - Don't return NULL from smtp_address_clone*() unless the input is NULL. - lib-smtp: smtp-address - Don't recognize an address with empty localpart as <>. - lmtp: lmtp-commands - Explicity prohibit empty RCPT path. Checksums-Sha1: 230c2d5e6f076e2e996da0f5a4fc583de25598b7 3495 dovecot_2.3.4.1-5+deb10u2.dsc ec2650b2bb22a52e3bcb0df4db03f5ecc6470599 542620 dovecot_2.3.4.1-5+deb10u2.debian.tar.xz Checksums-Sha256: 5de6378355c8a3a009f7427ed536bc96e531ed09d4575bd3047a7f471e703d43 3495 dovecot_2.3.4.1-5+deb10u2.dsc 3ac89b81095e4719909559b6a74c141f68cb41ccb2176212e93182a7882a5f65 542620 dovecot_2.3.4.1-5+deb10u2.debian.tar.xz Files: ef25418b915cee60d039a457c6ac0cb2 3495 mail optional dovecot_2.3.4.1-5+deb10u2.dsc 16cbf3291de9d16c6f5d8ebd9a7dcedf 542620 mail optional dovecot_2.3.4.1-5+deb10u2.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl7C8UhfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk ZWJpYW4ub3JnAAoJEAVMuPMTQ89EftkP/2Ub1SF2KIMpXJw2vCT/ToPf6i1pGyMw mcahAu6kpyDCOCXKeO69wJI5I/0cPJ77rxRrrlpBEsxGQKBvPKHC7Ya1dOYGIiE3 BMjw6/2UXR7t1FxydL0jz40/pABQ+ZOsp4SQOiswCz8xK6aoZjFFY/EuJw4Hv/pp 8nPBrscaGJbIqWl9WmfJQhwOBBRyQHeVmkFsMN1se050hL2Z/8P8B1E8kH5bV9Jc 9isVNu2aJAC+kD+QEO/zgzR/XX+Wp/OXXEbakxde97HranQ0EE1XmhmjCeFipFYk 2yf2TbR1Deh4TRee7OFTkaxBYulAT4OrG240++ckePSplt6EsOgg8xQa4muANSqF n89P2t3etUeG1W1DORe1UsH4Zk1S4JyrrVl3ZMdkgpIoGnOayLQb4SxDruBzkXjP ntBfcff449u2n9+cHsbRAhhfLaKmMwhvcPC9bifqSzDk1HAFMqKAONUWrIi8WbAd wTZSb4je6gZ3YECp/SGPTl+Se8mRMKWMwXxwNQFVB3NhHL7kJH8QQ2SDLWI+Rped IV/n97mZXteR3zMKS1sPm8CQNbJ+JQBXmz6d/BbDpF/Xw5XB+S6TCL5CWOcTjHZA C8QF7dGaQFlZ61tv2MMms6k646dTF+PGYpPuOerW3cqt1LTuhoZNPQ0zfzwsJxNU g2uqAqoVp+hw =V+Pb -----END PGP SIGNATURE-----
--- End Message ---
