Source: dovecot Version: 1:2.3.11.3+dfsg1-2 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Control: found -1 1:2.3.4.1-5+deb10u4 Control: fixed -1 1:2.3.4.1-5+deb10u5 Control: found -1 1:2.2.27-3+deb9u6 Control: fixed -1 1:2.2.27-3+deb9u7
Hi, The following vulnerabilities were published for dovecot. CVE-2020-24386[0]: | An issue was discovered in Dovecot before 2.3.13. By using IMAP IDLE, | an authenticated attacker can trigger unhibernation via attacker- | controlled parameters, leading to access to other users' email | messages (and path disclosure). CVE-2020-25275[1]: | Dovecot before 2.3.13 has Improper Input Validation in lda, lmtp, and | imap, leading to an application crash via a crafted email message with | certain choices for ten thousand MIME parts. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-24386 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24386 [1] https://security-tracker.debian.org/tracker/CVE-2020-25275 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25275 Regards, Salvatore
