Hi Noah, [sorry for lack of reply to the previous mail, busy with other stuff]
On Tue, Jul 20, 2021 at 08:03:12AM -0700, Noah Meyerhans wrote: > On Mon, Jul 19, 2021 at 08:21:45AM -0700, Noah Meyerhans wrote: > > > > CVE-2021-33515[0]: > > > > | The submission service in Dovecot before 2.3.15 allows STARTTLS > > > > | command injection in lib-smtp. Sensitive information can be redirected > > > > | to an attacker-controlled address. > > > > > > > > https://dovecot.org/pipermail/dovecot-news/2021-June/000462.html > > > > https://www.openwall.com/lists/oss-security/2021/06/28/2 > > > > > > > > > > > > CVE-2021-29157[1]: > > > > | Dovecot before 2.3.15 allows ../ Path Traversal. An attacker with > > > > | access to the local filesystem can trick OAuth2 authentication into > > > > | using an HS256 validation key from an attacker-controlled location. > > > > | This occurs during use of local JWT validation with the posix fs > > > > | driver. > > > > > > > > https://dovecot.org/pipermail/dovecot-news/2021-June/000461.html > > > > https://www.openwall.com/lists/oss-security/2021/06/28/1 > > Ubuntu has released fixes for these, and I've been able to incorporate > their backports into the current bullseye packages. [1] Ack, very nice. > > > > CVE-2020-28200[2]: > > > > | The Sieve engine in Dovecot before 2.3.15 allows Uncontrolled Resource > > > > | Consumption, as demonstrated by a situation with a complex regular > > > > | expression for the regex extension. > > > > > > > > https://dovecot.org/pipermail/dovecot-news/2021-June/000460.html > > > > https://www.openwall.com/lists/oss-security/2021/06/28/3 > > This change is quite a bit more disruptive, as it basically would > require backporting the entire Sieve resource accounting framework. Per > a comment on Ubuntu's tracker, this is not practical to backport. [2] I > agree with this assessment. I'd be much more inclined to update to the > latest upstream release and deal with any compatibility issues rather > than try backporting this functionality, if we decide we really need it. > > I will be uploading 1:2.3.13+dfsg1-2 to sid with fixes for the first two > CVEs in the near term. Will investigate a similar fix for buster via > the next point release. Will follow up with the release teams to get > the updated packages into the archive. Thanks this sound sensible! Regards, Salvatore
