Bug#991323: marked as done (dovecot: CVE-2020-28200)

[Debian Bug Tracking System]

Your message dated Thu, 02 Sep 2021 22:33:30 +0000
with message-id <e1mlvh0-000hvv...@fasolo.debian.org>
and subject line Bug#991323: fixed in dovecot 1:2.3.16+dfsg1-1
has caused the Debian Bug report #991323,
regarding dovecot: CVE-2020-28200
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
991323: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=991323
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: dovecot
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerabilities were published for dovecot.

CVE-2021-33515[0]:
| The submission service in Dovecot before 2.3.15 allows STARTTLS
| command injection in lib-smtp. Sensitive information can be redirected
| to an attacker-controlled address.

https://dovecot.org/pipermail/dovecot-news/2021-June/000462.html
https://www.openwall.com/lists/oss-security/2021/06/28/2


CVE-2021-29157[1]:
| Dovecot before 2.3.15 allows ../ Path Traversal. An attacker with
| access to the local filesystem can trick OAuth2 authentication into
| using an HS256 validation key from an attacker-controlled location.
| This occurs during use of local JWT validation with the posix fs
| driver.

https://dovecot.org/pipermail/dovecot-news/2021-June/000461.html
https://www.openwall.com/lists/oss-security/2021/06/28/1


CVE-2020-28200[2]:
| The Sieve engine in Dovecot before 2.3.15 allows Uncontrolled Resource
| Consumption, as demonstrated by a situation with a complex regular
| expression for the regex extension.

https://dovecot.org/pipermail/dovecot-news/2021-June/000460.html
https://www.openwall.com/lists/oss-security/2021/06/28/3

        
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2021-33515
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33515
[1] https://security-tracker.debian.org/tracker/CVE-2021-29157
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29157
[2] https://security-tracker.debian.org/tracker/CVE-2020-28200
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28200

Please adjust the affected versions in the BTS as needed.

--- End Message ---

--- Begin Message ---

Source: dovecot
Source-Version: 1:2.3.16+dfsg1-1
Done: Noah Meyerhans <no...@debian.org>

We believe that the bug you reported is fixed in the latest version of
dovecot, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 991...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Noah Meyerhans <no...@debian.org> (supplier of updated dovecot package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 02 Sep 2021 13:22:16 -0700
Source: dovecot
Architecture: source
Version: 1:2.3.16+dfsg1-1
Distribution: unstable
Urgency: medium
Maintainer: Dovecot Maintainers <dove...@packages.debian.org>
Changed-By: Noah Meyerhans <no...@debian.org>
Closes: 983510 991323
Changes:
 dovecot (1:2.3.16+dfsg1-1) unstable; urgency=medium
 .
   [ Christian Göttsche ]
   * [ff4a227] New upstream version 2.3.14+dfsg1
   * [963fa3b] New upstream version 2.3.15+dfsg1 (Closes: #991323, #983510)
   * [5e0c898] d/watch: adjust dversionmangle for dfsg suffix
   * [9ffb0f5] d/patches: update
   * [850e1d6] New upstream version 2.3.16+dfsg1
   * [7140b87] d/patches: rebase patches
   * [fb1b77e] d/rules: enable LTO
   * [ce7055d] d/control: add libsystemd-dev dependency
   * [db93263] d/copyright: drop unused section
   * [aeec1e8] d/rules: update how to set systemdsystemunitdir
   * [ebe9709] d/patches: resolve compiler warnings
   * [19b2bb0] d/changelog: bump to 1:2.3.16+dfsg1-1
   * [58a4078] d/patches: update 32bit warnings patch
 .
   [ Noah Meyerhans ]
   * [f217c2e] Fix indexer crash
   * [b075317] Import upstream patch for indexer crash on client disconnect
   * [36e8740] drop debian/dovecot-core.maintscript
Checksums-Sha1:
 0d06f55332ac921c0d33e3fbc48eccbb59f394cf 4019 dovecot_2.3.16+dfsg1-1.dsc
 00a378d9a12a0bbeafec9915f75344d8c26e9c9d 1626913 
dovecot_2.3.16+dfsg1.orig-pigeonhole.tar.gz
 b5c598ae8b9901bfabdf2c93271f57cde0bde73e 7650008 
dovecot_2.3.16+dfsg1.orig.tar.gz
 747ad36292d47bc42015a97ed2da54e561af4332 866 
dovecot_2.3.16+dfsg1.orig.tar.gz.asc
 1012b26eedd35264ba069ae30a4fb5d25f580d8d 64904 
dovecot_2.3.16+dfsg1-1.debian.tar.xz
 6b594c242111ce6a02b4aa24afac3ba7c491d73f 6192 
dovecot_2.3.16+dfsg1-1_source.buildinfo
Checksums-Sha256:
 e43ffde76ea8b542ec40fec9004de51fb438fe866192f3c5c0ae33487410f58c 4019 
dovecot_2.3.16+dfsg1-1.dsc
 0438a36c7aef41a9d12df1f2ca792ed5d18df3e23bc241e5a0f762cf4456eb6e 1626913 
dovecot_2.3.16+dfsg1.orig-pigeonhole.tar.gz
 03a71d53055bd9ec528d55e07afaf15c09dec9856cba734904bfd05acbc6cf12 7650008 
dovecot_2.3.16+dfsg1.orig.tar.gz
 8b270b1694068c943781ba684a5e2a05b7a5694209283474d378e4c0aa06ce81 866 
dovecot_2.3.16+dfsg1.orig.tar.gz.asc
 17d3dd7625124b873fc979f036320c3a5b6d1fa76f2782c16000be0afddbd0f0 64904 
dovecot_2.3.16+dfsg1-1.debian.tar.xz
 98c1d6104a27518ffb2fac790011ef350403980e236be8c66397792441573a8a 6192 
dovecot_2.3.16+dfsg1-1_source.buildinfo
Files:
 594a0e085d9c1184e04a88ec83bef05d 4019 mail optional dovecot_2.3.16+dfsg1-1.dsc
 1f7633915873f64ffbe4642749a9990e 1626913 mail optional 
dovecot_2.3.16+dfsg1.orig-pigeonhole.tar.gz
 946dc6a89db0d11d0061f0d4447263dc 7650008 mail optional 
dovecot_2.3.16+dfsg1.orig.tar.gz
 889c658d129daf3b8989fdcc86f337ab 866 mail optional 
dovecot_2.3.16+dfsg1.orig.tar.gz.asc
 8fd59d86828de9f1e2aa4c057f71d712 64904 mail optional 
dovecot_2.3.16+dfsg1-1.debian.tar.xz
 0560f96b2adc4fd114cad684674a29c7 6192 mail optional 
dovecot_2.3.16+dfsg1-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJFBAEBCgAvFiEE65xaF5r2LDCTz+zyV68+Bn2yWDMFAmExUHoRHG5vYWhtQGRl
Ymlhbi5vcmcACgkQV68+Bn2yWDPzQRAAoIED78nY0WG05rsQdd5z7PDuDU8sz9Pj
KefPO/ur9B6C36O5EOsZWb2k9StU0P3pZs1z6+OyRlwJztPEXqmTbM45jR1TgJlk
grYASCLuvh9NECgHiVUQlf4Bv5vWMKEFhwnfkOwQozH9maJLn4GTzhfQ0z85sTII
8AnpO11xNeBgsA4+nr4ncXnncDMhrf3eyivdPL1WLb6poXBBvEHQuOAnctSHF9cs
HEXY32rs0EortDYYUmp415IclCxOuJ8dDJ0YSSSxAzm5icmUfBgQysHS2qHrD1+T
abXAbGeCYowGUVMLrRUAgD4sXkLBzgwEWzFylNNExd76CHVV/Y/upQS9DgwAeWmX
B9HV6OWEQ2aa+DP76enn1MNdtGFkdGAQJJ7nTpgeMp1HRfozkDItZBhCQZ8wopo+
KaRn8zXR43bqVDb20XOLRY+Mttuh3dgMl2baue32zJXEV8nyC6MFAZkMe52PMjMq
dOKIiYcX6KS0STJg/vuqHdf1eHSj+0E1xSIfPNi00XtM9w+KlBb2ZOCpt6sRfsdJ
R7Tf/bdW0A1bD0Kx+ljdN5N8KwO7Rf6UlX4vO2dOIf2MZqEVucixnVtcT0D4uolw
QLQFur/X0GPYRGWWHXfMwkf4i0gmsESCXDEr56O5bZyYMYm+NgxPZLwjJ7NaZy28
IvambThzSvI=
=RTPk
-----END PGP SIGNATURE-----

--- End Message ---