Your message dated Tue, 20 Jul 2021 16:05:15 +0000 with message-id <e1m5sf9-000fbd...@fasolo.debian.org> and subject line Bug#990566: fixed in dovecot 1:2.3.13+dfsg1-2 has caused the Debian Bug report #990566, regarding dovecot: CVE-2021-33515 CVE-2021-29157 CVE-2020-28200 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 990566: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990566 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: dovecot X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for dovecot. CVE-2021-33515[0]: | The submission service in Dovecot before 2.3.15 allows STARTTLS | command injection in lib-smtp. Sensitive information can be redirected | to an attacker-controlled address. https://dovecot.org/pipermail/dovecot-news/2021-June/000462.html https://www.openwall.com/lists/oss-security/2021/06/28/2 CVE-2021-29157[1]: | Dovecot before 2.3.15 allows ../ Path Traversal. An attacker with | access to the local filesystem can trick OAuth2 authentication into | using an HS256 validation key from an attacker-controlled location. | This occurs during use of local JWT validation with the posix fs | driver. https://dovecot.org/pipermail/dovecot-news/2021-June/000461.html https://www.openwall.com/lists/oss-security/2021/06/28/1 CVE-2020-28200[2]: | The Sieve engine in Dovecot before 2.3.15 allows Uncontrolled Resource | Consumption, as demonstrated by a situation with a complex regular | expression for the regex extension. https://dovecot.org/pipermail/dovecot-news/2021-June/000460.html https://www.openwall.com/lists/oss-security/2021/06/28/3 If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-33515 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33515 [1] https://security-tracker.debian.org/tracker/CVE-2021-29157 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29157 [2] https://security-tracker.debian.org/tracker/CVE-2020-28200 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28200 Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---Source: dovecot Source-Version: 1:2.3.13+dfsg1-2 Done: Noah Meyerhans <no...@debian.org> We believe that the bug you reported is fixed in the latest version of dovecot, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 990...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Noah Meyerhans <no...@debian.org> (supplier of updated dovecot package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 20 Jul 2021 08:05:19 -0700 Source: dovecot Architecture: source Version: 1:2.3.13+dfsg1-2 Distribution: unstable Urgency: high Maintainer: Dovecot Maintainers <dove...@packages.debian.org> Changed-By: Noah Meyerhans <no...@debian.org> Closes: 990566 Changes: dovecot (1:2.3.13+dfsg1-2) unstable; urgency=high . * Import upstream fixes for security issues (Closes: #990566): - CVE-2021-29157: Path traversal issue allowing an attacker with access to the local filesystem can trick OAuth2 authentication into using an HS256 validation key from an attacker-controlled location - CVE-2021-33515: Sensitive information could be redirected to an attacker-controlled address because of a STARTTLS command injection bug in the submission service Checksums-Sha1: 45406379abcdf097616056b6ba308cc48f553c82 3991 dovecot_2.3.13+dfsg1-2.dsc da6799e28dca6ebed9924ce7744a48b9f5a9d93a 66896 dovecot_2.3.13+dfsg1-2.debian.tar.xz 63af3771f71f20788b1870b7cab0f523b64fdac9 7659 dovecot_2.3.13+dfsg1-2_source.buildinfo Checksums-Sha256: 06bbe045c70fa904124a4bbd700d5b1a61418495cff4543a4a8d52138f5cf988 3991 dovecot_2.3.13+dfsg1-2.dsc 251f757bca8b5050234d4f03452dcd5512656e1c880817d740832d3eccf67784 66896 dovecot_2.3.13+dfsg1-2.debian.tar.xz b7e1f0dbca3dbc09f66d48ac2be4af4dc9043c603baa5c0a893b9a102f487acb 7659 dovecot_2.3.13+dfsg1-2_source.buildinfo Files: bf2b5c88020e6aaf60782f4b63699331 3991 mail optional dovecot_2.3.13+dfsg1-2.dsc 1607738fd838882c198071fc45c2f3dc 66896 mail optional dovecot_2.3.13+dfsg1-2.debian.tar.xz 680fc932e4621f5159df6b28a9a3b6fa 7659 mail optional dovecot_2.3.13+dfsg1-2_source.buildinfo -----BEGIN PGP SIGNATURE----- iQJFBAEBCgAvFiEE65xaF5r2LDCTz+zyV68+Bn2yWDMFAmD26N8RHG5vYWhtQGRl Ymlhbi5vcmcACgkQV68+Bn2yWDMzYw/+JVFD4qyiCsm130Er3NPL0nuM6M8wb5Zj 3W4cKBmPbYQhMB6EtYX/QhlAWUtpm0YMp0J6my0BCctGL4P/TE7rqAy6zsfB7TBL lmcqOvjcnMtwE7xzAtuBpgCupFL7y+ck51AoXpG7NaZiu7XWZiASEfjPs1YIso/F BgWXIiroiKTfDeWxeJYiMJKcT6njd6V/avJu8B1UZqRgRUAHoQvIvf4zTub+tk6M hzsVINt1vXxEzIuvnDhdV/hrRlI7H/Lg84AJYABDskv9Q+jmzMzIIROMt/2d6zFi JKYDi4HiGSB7aP980+CC+Hq7c9oPi1jz4RF5vKrznLPYw/Iipfg5/HHEVyRj92cw wZdx4UkS970uzWLTXHXREPHHd2BGLlKcF706ldOEYTamHh68TfenAI3CkOO/RWa3 SN2MNmjL4FilPzcZkh9tVEZaP7v04ObIt7UZDV6R6oRcv8SSVBCWSes7RGueh+Wg 7avdiM9MOxvcil3QqEklM7RA27VV6dDgMH1/5fOvn1ib1VAjWSapddAzQWk9QRjq LAVzXBGD69vOivHegmDpFy/pGUL0PY1IFto0sjdlKS5hn+cWjDNGA/i+MHVuvZIN M/rTPGIWVK7MDb4kEvZ2Fwj3l2wFY20TSVIGlEX8vr4X95U1XYR0A0v6s1fsv0nI s4G/vfxhMJo= =olIm -----END PGP SIGNATURE-----
--- End Message ---
