Security update for dovecot23 SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2020:1241-1 Final 1 1 2020-08-21T14:22:15Z current 2020-08-21T14:22:15Z 2020-08-21T14:22:15Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for dovecot23 This update for dovecot23 fixes the following issues: - CVE-2020-12673: improper implementation of NTLM does not check message buffer size (bsc#1174922). - CVE-2020-12674: improper implementation of RPA mechanism (bsc#1174923). This update was imported from the SUSE:SLE-15-SP1:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2020-1241 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/V5BQ7VTUOTG643O3W2XOD47UQ4UFUGOJ/ E-Mail link for openSUSE-SU-2020:1241-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1174922 SUSE Bug 1174922 https://bugzilla.suse.com/1174923 SUSE Bug 1174923 https://www.suse.com/security/cve/CVE-2020-12673/ SUSE CVE CVE-2020-12673 page https://www.suse.com/security/cve/CVE-2020-12674/ SUSE CVE CVE-2020-12674 page openSUSE Leap 15.1 dovecot23-2.3.10-lp151.2.12.1 dovecot23-backend-mysql-2.3.10-lp151.2.12.1 dovecot23-backend-pgsql-2.3.10-lp151.2.12.1 dovecot23-backend-sqlite-2.3.10-lp151.2.12.1 dovecot23-devel-2.3.10-lp151.2.12.1 dovecot23-fts-2.3.10-lp151.2.12.1 dovecot23-fts-lucene-2.3.10-lp151.2.12.1 dovecot23-fts-solr-2.3.10-lp151.2.12.1 dovecot23-fts-squat-2.3.10-lp151.2.12.1 dovecot23-2.3.10-lp151.2.12.1 as a component of openSUSE Leap 15.1 dovecot23-backend-mysql-2.3.10-lp151.2.12.1 as a component of openSUSE Leap 15.1 dovecot23-backend-pgsql-2.3.10-lp151.2.12.1 as a component of openSUSE Leap 15.1 dovecot23-backend-sqlite-2.3.10-lp151.2.12.1 as a component of openSUSE Leap 15.1 dovecot23-devel-2.3.10-lp151.2.12.1 as a component of openSUSE Leap 15.1 dovecot23-fts-2.3.10-lp151.2.12.1 as a component of openSUSE Leap 15.1 dovecot23-fts-lucene-2.3.10-lp151.2.12.1 as a component of openSUSE Leap 15.1 dovecot23-fts-solr-2.3.10-lp151.2.12.1 as a component of openSUSE Leap 15.1 dovecot23-fts-squat-2.3.10-lp151.2.12.1 as a component of openSUSE Leap 15.1 In Dovecot before 2.3.11.3, sending a specially formatted NTLM request will crash the auth service because of an out-of-bounds read. CVE-2020-12673 openSUSE Leap 15.1:dovecot23-2.3.10-lp151.2.12.1 openSUSE Leap 15.1:dovecot23-backend-mysql-2.3.10-lp151.2.12.1 openSUSE Leap 15.1:dovecot23-backend-pgsql-2.3.10-lp151.2.12.1 openSUSE Leap 15.1:dovecot23-backend-sqlite-2.3.10-lp151.2.12.1 openSUSE Leap 15.1:dovecot23-devel-2.3.10-lp151.2.12.1 openSUSE Leap 15.1:dovecot23-fts-2.3.10-lp151.2.12.1 openSUSE Leap 15.1:dovecot23-fts-lucene-2.3.10-lp151.2.12.1 openSUSE Leap 15.1:dovecot23-fts-solr-2.3.10-lp151.2.12.1 openSUSE Leap 15.1:dovecot23-fts-squat-2.3.10-lp151.2.12.1 important 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/V5BQ7VTUOTG643O3W2XOD47UQ4UFUGOJ/ https://www.suse.com/security/cve/CVE-2020-12673.html CVE-2020-12673 https://bugzilla.suse.com/1174920 SUSE Bug 1174920 https://bugzilla.suse.com/1174922 SUSE Bug 1174922 In Dovecot before 2.3.11.3, sending a specially formatted RPA request will crash the auth service because a length of zero is mishandled. CVE-2020-12674 openSUSE Leap 15.1:dovecot23-2.3.10-lp151.2.12.1 openSUSE Leap 15.1:dovecot23-backend-mysql-2.3.10-lp151.2.12.1 openSUSE Leap 15.1:dovecot23-backend-pgsql-2.3.10-lp151.2.12.1 openSUSE Leap 15.1:dovecot23-backend-sqlite-2.3.10-lp151.2.12.1 openSUSE Leap 15.1:dovecot23-devel-2.3.10-lp151.2.12.1 openSUSE Leap 15.1:dovecot23-fts-2.3.10-lp151.2.12.1 openSUSE Leap 15.1:dovecot23-fts-lucene-2.3.10-lp151.2.12.1 openSUSE Leap 15.1:dovecot23-fts-solr-2.3.10-lp151.2.12.1 openSUSE Leap 15.1:dovecot23-fts-squat-2.3.10-lp151.2.12.1 important 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/V5BQ7VTUOTG643O3W2XOD47UQ4UFUGOJ/ https://www.suse.com/security/cve/CVE-2020-12674.html CVE-2020-12674 https://bugzilla.suse.com/1174920 SUSE Bug 1174920 https://bugzilla.suse.com/1174923 SUSE Bug 1174923