Source: dovecot X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security
Hi, The following vulnerabilities were published for dovecot. CVE-2021-33515[0]: | The submission service in Dovecot before 2.3.15 allows STARTTLS | command injection in lib-smtp. Sensitive information can be redirected | to an attacker-controlled address. https://dovecot.org/pipermail/dovecot-news/2021-June/000462.html https://www.openwall.com/lists/oss-security/2021/06/28/2 CVE-2021-29157[1]: | Dovecot before 2.3.15 allows ../ Path Traversal. An attacker with | access to the local filesystem can trick OAuth2 authentication into | using an HS256 validation key from an attacker-controlled location. | This occurs during use of local JWT validation with the posix fs | driver. https://dovecot.org/pipermail/dovecot-news/2021-June/000461.html https://www.openwall.com/lists/oss-security/2021/06/28/1 CVE-2020-28200[2]: | The Sieve engine in Dovecot before 2.3.15 allows Uncontrolled Resource | Consumption, as demonstrated by a situation with a complex regular | expression for the regex extension. https://dovecot.org/pipermail/dovecot-news/2021-June/000460.html https://www.openwall.com/lists/oss-security/2021/06/28/3 If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-33515 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33515 [1] https://security-tracker.debian.org/tracker/CVE-2021-29157 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29157 [2] https://security-tracker.debian.org/tracker/CVE-2020-28200 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28200 Please adjust the affected versions in the BTS as needed.
