On Sat, Jul 17, 2021 at 09:05:32PM +0200, Salvatore Bonaccorso wrote: > > CVE-2021-33515[0]: > > | The submission service in Dovecot before 2.3.15 allows STARTTLS > > | command injection in lib-smtp. Sensitive information can be redirected > > | to an attacker-controlled address. > > > > https://dovecot.org/pipermail/dovecot-news/2021-June/000462.html > > https://www.openwall.com/lists/oss-security/2021/06/28/2 > > > > > > CVE-2021-29157[1]: > > | Dovecot before 2.3.15 allows ../ Path Traversal. An attacker with > > | access to the local filesystem can trick OAuth2 authentication into > > | using an HS256 validation key from an attacker-controlled location. > > | This occurs during use of local JWT validation with the posix fs > > | driver. > > > > https://dovecot.org/pipermail/dovecot-news/2021-June/000461.html > > https://www.openwall.com/lists/oss-security/2021/06/28/1 > > > > > > CVE-2020-28200[2]: > > | The Sieve engine in Dovecot before 2.3.15 allows Uncontrolled Resource > > | Consumption, as demonstrated by a situation with a complex regular > > | expression for the regex extension. > > > > https://dovecot.org/pipermail/dovecot-news/2021-June/000460.html > > https://www.openwall.com/lists/oss-security/2021/06/28/3 > > > > > > If you fix the vulnerabilities please also make sure to include the > > CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. > > > > For further information see: > > > > [0] https://security-tracker.debian.org/tracker/CVE-2021-33515 > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33515 > > [1] https://security-tracker.debian.org/tracker/CVE-2021-29157 > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29157 > > [2] https://security-tracker.debian.org/tracker/CVE-2020-28200 > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28200 > > > > Please adjust the affected versions in the BTS as needed. > > Do you have a chance to try to get this yet in time for bullseye? Do > you have time for it (I do agree the time is now very tight).
It's not clear if I'll be able to get this fixed ahead of the release, but I am working on it. The individual upstream git commits aren't easily correlated with the CVEs, and there's a lot of modified context, making it difficult to cherry-pick individual changes even when they can be identified. Stay tuned... noah
