On Mon, Jul 19, 2021 at 08:21:45AM -0700, Noah Meyerhans wrote: > > > CVE-2021-33515[0]: > > > | The submission service in Dovecot before 2.3.15 allows STARTTLS > > > | command injection in lib-smtp. Sensitive information can be redirected > > > | to an attacker-controlled address. > > > > > > https://dovecot.org/pipermail/dovecot-news/2021-June/000462.html > > > https://www.openwall.com/lists/oss-security/2021/06/28/2 > > > > > > > > > CVE-2021-29157[1]: > > > | Dovecot before 2.3.15 allows ../ Path Traversal. An attacker with > > > | access to the local filesystem can trick OAuth2 authentication into > > > | using an HS256 validation key from an attacker-controlled location. > > > | This occurs during use of local JWT validation with the posix fs > > > | driver. > > > > > > https://dovecot.org/pipermail/dovecot-news/2021-June/000461.html > > > https://www.openwall.com/lists/oss-security/2021/06/28/1
Ubuntu has released fixes for these, and I've been able to incorporate their backports into the current bullseye packages. [1] > > > CVE-2020-28200[2]: > > > | The Sieve engine in Dovecot before 2.3.15 allows Uncontrolled Resource > > > | Consumption, as demonstrated by a situation with a complex regular > > > | expression for the regex extension. > > > > > > https://dovecot.org/pipermail/dovecot-news/2021-June/000460.html > > > https://www.openwall.com/lists/oss-security/2021/06/28/3 This change is quite a bit more disruptive, as it basically would require backporting the entire Sieve resource accounting framework. Per a comment on Ubuntu's tracker, this is not practical to backport. [2] I agree with this assessment. I'd be much more inclined to update to the latest upstream release and deal with any compatibility issues rather than try backporting this functionality, if we decide we really need it. I will be uploading 1:2.3.13+dfsg1-2 to sid with fixes for the first two CVEs in the near term. Will investigate a similar fix for buster via the next point release. Will follow up with the release teams to get the updated packages into the archive. noah 1. https://launchpad.net/ubuntu/+source/dovecot/1:2.3.13+dfsg1-1ubuntu1.1 2. https://ubuntu.com/security/cve-2020-28200
