Security update for dovecot23 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2020:1379-1 Final 1 1 2020-05-22T06:00:52Z current 2020-05-22T06:00:52Z 2020-05-22T06:00:52Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for dovecot23 This update for dovecot23 fixes the following issues: Security issues fixed: - CVE-2020-10957: Fixed a crash caused by malformed NOOP commands (bsc#1171457). - CVE-2020-10958: Fixed a use-after-free when receiving too many newlines (bsc#1171458). - CVE-2020-10967: Fixed a crash in the lmtp and submission components caused by mails with empty quoted localparts (bsc#1171456). Non-security issues fixed: - The update to 2.3.10 fixes several bugs. Please refer to https://dovecot.org/doc/NEWS for a complete list of changes. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2020-1379,SUSE-SLE-Product-HPC-15-2020-1379,SUSE-SLE-Product-SLES-15-2020-1379,SUSE-SLE-Product-SLES_SAP-15-2020-1379 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2020/suse-su-20201379-1/ Link for SUSE-SU-2020:1379-1 https://lists.suse.com/pipermail/sle-security-updates/2020-May/006846.html E-Mail link for SUSE-SU-2020:1379-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1171456 SUSE Bug 1171456 https://bugzilla.suse.com/1171457 SUSE Bug 1171457 https://bugzilla.suse.com/1171458 SUSE Bug 1171458 https://www.suse.com/security/cve/CVE-2020-10957/ SUSE CVE CVE-2020-10957 page https://www.suse.com/security/cve/CVE-2020-10958/ SUSE CVE CVE-2020-10958 page https://www.suse.com/security/cve/CVE-2020-10967/ SUSE CVE CVE-2020-10967 page SUSE Linux Enterprise High Performance Computing 15-ESPOS SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise Server for SAP Applications 15 dovecot23-2.3.10-4.22.1 dovecot23-backend-mysql-2.3.10-4.22.1 dovecot23-backend-pgsql-2.3.10-4.22.1 dovecot23-backend-sqlite-2.3.10-4.22.1 dovecot23-devel-2.3.10-4.22.1 dovecot23-fts-2.3.10-4.22.1 dovecot23-fts-lucene-2.3.10-4.22.1 dovecot23-fts-solr-2.3.10-4.22.1 dovecot23-fts-squat-2.3.10-4.22.1 dovecot23-2.3.10-4.22.1 as a component of SUSE Linux Enterprise High Performance Computing 15-ESPOS dovecot23-backend-mysql-2.3.10-4.22.1 as a component of SUSE Linux Enterprise High Performance Computing 15-ESPOS dovecot23-backend-pgsql-2.3.10-4.22.1 as a component of SUSE Linux Enterprise High Performance Computing 15-ESPOS dovecot23-backend-sqlite-2.3.10-4.22.1 as a component of SUSE Linux Enterprise High Performance Computing 15-ESPOS dovecot23-devel-2.3.10-4.22.1 as a component of SUSE Linux Enterprise High Performance Computing 15-ESPOS dovecot23-fts-2.3.10-4.22.1 as a component of SUSE Linux Enterprise High Performance Computing 15-ESPOS dovecot23-fts-lucene-2.3.10-4.22.1 as a component of SUSE Linux Enterprise High Performance Computing 15-ESPOS dovecot23-fts-solr-2.3.10-4.22.1 as a component of SUSE Linux Enterprise High Performance Computing 15-ESPOS dovecot23-fts-squat-2.3.10-4.22.1 as a component of SUSE Linux Enterprise High Performance Computing 15-ESPOS dovecot23-2.3.10-4.22.1 as a component of SUSE Linux Enterprise High Performance Computing 15-LTSS dovecot23-backend-mysql-2.3.10-4.22.1 as a component of SUSE Linux Enterprise High Performance Computing 15-LTSS dovecot23-backend-pgsql-2.3.10-4.22.1 as a component of SUSE Linux Enterprise High Performance Computing 15-LTSS dovecot23-backend-sqlite-2.3.10-4.22.1 as a component of SUSE Linux Enterprise High Performance Computing 15-LTSS dovecot23-devel-2.3.10-4.22.1 as a component of SUSE Linux Enterprise High Performance Computing 15-LTSS dovecot23-fts-2.3.10-4.22.1 as a component of SUSE Linux Enterprise High Performance Computing 15-LTSS dovecot23-fts-lucene-2.3.10-4.22.1 as a component of SUSE Linux Enterprise High Performance Computing 15-LTSS dovecot23-fts-solr-2.3.10-4.22.1 as a component of SUSE Linux Enterprise High Performance Computing 15-LTSS dovecot23-fts-squat-2.3.10-4.22.1 as a component of SUSE Linux Enterprise High Performance Computing 15-LTSS dovecot23-2.3.10-4.22.1 as a component of SUSE Linux Enterprise Server 15-LTSS dovecot23-backend-mysql-2.3.10-4.22.1 as a component of SUSE Linux Enterprise Server 15-LTSS dovecot23-backend-pgsql-2.3.10-4.22.1 as a component of SUSE Linux Enterprise Server 15-LTSS dovecot23-backend-sqlite-2.3.10-4.22.1 as a component of SUSE Linux Enterprise Server 15-LTSS dovecot23-devel-2.3.10-4.22.1 as a component of SUSE Linux Enterprise Server 15-LTSS dovecot23-fts-2.3.10-4.22.1 as a component of SUSE Linux Enterprise Server 15-LTSS dovecot23-fts-lucene-2.3.10-4.22.1 as a component of SUSE Linux Enterprise Server 15-LTSS dovecot23-fts-solr-2.3.10-4.22.1 as a component of SUSE Linux Enterprise Server 15-LTSS dovecot23-fts-squat-2.3.10-4.22.1 as a component of SUSE Linux Enterprise Server 15-LTSS dovecot23-2.3.10-4.22.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 dovecot23-backend-mysql-2.3.10-4.22.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 dovecot23-backend-pgsql-2.3.10-4.22.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 dovecot23-backend-sqlite-2.3.10-4.22.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 dovecot23-devel-2.3.10-4.22.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 dovecot23-fts-2.3.10-4.22.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 dovecot23-fts-lucene-2.3.10-4.22.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 dovecot23-fts-solr-2.3.10-4.22.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 dovecot23-fts-squat-2.3.10-4.22.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 In Dovecot before 2.3.10.1, unauthenticated sending of malformed parameters to a NOOP command causes a NULL Pointer Dereference and crash in submission-login, submission, or lmtp. CVE-2020-10957 SUSE Linux Enterprise High Performance Computing 15-ESPOS:dovecot23-2.3.10-4.22.1 SUSE Linux Enterprise High Performance Computing 15-ESPOS:dovecot23-backend-mysql-2.3.10-4.22.1 SUSE Linux Enterprise High Performance Computing 15-ESPOS:dovecot23-backend-pgsql-2.3.10-4.22.1 SUSE Linux Enterprise High Performance Computing 15-ESPOS:dovecot23-backend-sqlite-2.3.10-4.22.1 SUSE Linux Enterprise High Performance Computing 15-ESPOS:dovecot23-devel-2.3.10-4.22.1 SUSE Linux Enterprise High Performance Computing 15-ESPOS:dovecot23-fts-2.3.10-4.22.1 SUSE Linux Enterprise High Performance Computing 15-ESPOS:dovecot23-fts-lucene-2.3.10-4.22.1 SUSE Linux Enterprise High Performance Computing 15-ESPOS:dovecot23-fts-solr-2.3.10-4.22.1 SUSE Linux Enterprise High Performance Computing 15-ESPOS:dovecot23-fts-squat-2.3.10-4.22.1 SUSE Linux Enterprise High Performance Computing 15-LTSS:dovecot23-2.3.10-4.22.1 SUSE Linux Enterprise High Performance Computing 15-LTSS:dovecot23-backend-mysql-2.3.10-4.22.1 SUSE Linux Enterprise High Performance Computing 15-LTSS:dovecot23-backend-pgsql-2.3.10-4.22.1 SUSE Linux Enterprise High Performance Computing 15-LTSS:dovecot23-backend-sqlite-2.3.10-4.22.1 SUSE Linux Enterprise High Performance Computing 15-LTSS:dovecot23-devel-2.3.10-4.22.1 SUSE Linux Enterprise High Performance Computing 15-LTSS:dovecot23-fts-2.3.10-4.22.1 SUSE Linux Enterprise High Performance Computing 15-LTSS:dovecot23-fts-lucene-2.3.10-4.22.1 SUSE Linux Enterprise High Performance Computing 15-LTSS:dovecot23-fts-solr-2.3.10-4.22.1 SUSE Linux Enterprise High Performance Computing 15-LTSS:dovecot23-fts-squat-2.3.10-4.22.1 SUSE Linux Enterprise Server 15-LTSS:dovecot23-2.3.10-4.22.1 SUSE Linux Enterprise Server 15-LTSS:dovecot23-backend-mysql-2.3.10-4.22.1 SUSE Linux Enterprise Server 15-LTSS:dovecot23-backend-pgsql-2.3.10-4.22.1 SUSE Linux Enterprise Server 15-LTSS:dovecot23-backend-sqlite-2.3.10-4.22.1 SUSE Linux Enterprise Server 15-LTSS:dovecot23-devel-2.3.10-4.22.1 SUSE Linux Enterprise Server 15-LTSS:dovecot23-fts-2.3.10-4.22.1 SUSE Linux Enterprise Server 15-LTSS:dovecot23-fts-lucene-2.3.10-4.22.1 SUSE Linux Enterprise Server 15-LTSS:dovecot23-fts-solr-2.3.10-4.22.1 SUSE Linux Enterprise Server 15-LTSS:dovecot23-fts-squat-2.3.10-4.22.1 SUSE Linux Enterprise Server for SAP Applications 15:dovecot23-2.3.10-4.22.1 SUSE Linux Enterprise Server for SAP Applications 15:dovecot23-backend-mysql-2.3.10-4.22.1 SUSE Linux Enterprise Server for SAP Applications 15:dovecot23-backend-pgsql-2.3.10-4.22.1 SUSE Linux Enterprise Server for SAP Applications 15:dovecot23-backend-sqlite-2.3.10-4.22.1 SUSE Linux Enterprise Server for SAP Applications 15:dovecot23-devel-2.3.10-4.22.1 SUSE Linux Enterprise Server for SAP Applications 15:dovecot23-fts-2.3.10-4.22.1 SUSE Linux Enterprise Server for SAP Applications 15:dovecot23-fts-lucene-2.3.10-4.22.1 SUSE Linux Enterprise Server for SAP Applications 15:dovecot23-fts-solr-2.3.10-4.22.1 SUSE Linux Enterprise Server for SAP Applications 15:dovecot23-fts-squat-2.3.10-4.22.1 important 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2020/suse-su-20201379-1/ https://www.suse.com/security/cve/CVE-2020-10957.html CVE-2020-10957 https://bugzilla.suse.com/1171457 SUSE Bug 1171457 In Dovecot before 2.3.10.1, a crafted SMTP/LMTP message triggers an unauthenticated use-after-free bug in submission-login, submission, or lmtp, and can lead to a crash under circumstances involving many newlines after a command. CVE-2020-10958 SUSE Linux Enterprise High Performance Computing 15-ESPOS:dovecot23-2.3.10-4.22.1 SUSE Linux Enterprise High Performance Computing 15-ESPOS:dovecot23-backend-mysql-2.3.10-4.22.1 SUSE Linux Enterprise High Performance Computing 15-ESPOS:dovecot23-backend-pgsql-2.3.10-4.22.1 SUSE Linux Enterprise High Performance Computing 15-ESPOS:dovecot23-backend-sqlite-2.3.10-4.22.1 SUSE Linux Enterprise High Performance Computing 15-ESPOS:dovecot23-devel-2.3.10-4.22.1 SUSE Linux Enterprise High Performance Computing 15-ESPOS:dovecot23-fts-2.3.10-4.22.1 SUSE Linux Enterprise High Performance Computing 15-ESPOS:dovecot23-fts-lucene-2.3.10-4.22.1 SUSE Linux Enterprise High Performance Computing 15-ESPOS:dovecot23-fts-solr-2.3.10-4.22.1 SUSE Linux Enterprise High Performance Computing 15-ESPOS:dovecot23-fts-squat-2.3.10-4.22.1 SUSE Linux Enterprise High Performance Computing 15-LTSS:dovecot23-2.3.10-4.22.1 SUSE Linux Enterprise High Performance Computing 15-LTSS:dovecot23-backend-mysql-2.3.10-4.22.1 SUSE Linux Enterprise High Performance Computing 15-LTSS:dovecot23-backend-pgsql-2.3.10-4.22.1 SUSE Linux Enterprise High Performance Computing 15-LTSS:dovecot23-backend-sqlite-2.3.10-4.22.1 SUSE Linux Enterprise High Performance Computing 15-LTSS:dovecot23-devel-2.3.10-4.22.1 SUSE Linux Enterprise High Performance Computing 15-LTSS:dovecot23-fts-2.3.10-4.22.1 SUSE Linux Enterprise High Performance Computing 15-LTSS:dovecot23-fts-lucene-2.3.10-4.22.1 SUSE Linux Enterprise High Performance Computing 15-LTSS:dovecot23-fts-solr-2.3.10-4.22.1 SUSE Linux Enterprise High Performance Computing 15-LTSS:dovecot23-fts-squat-2.3.10-4.22.1 SUSE Linux Enterprise Server 15-LTSS:dovecot23-2.3.10-4.22.1 SUSE Linux Enterprise Server 15-LTSS:dovecot23-backend-mysql-2.3.10-4.22.1 SUSE Linux Enterprise Server 15-LTSS:dovecot23-backend-pgsql-2.3.10-4.22.1 SUSE Linux Enterprise Server 15-LTSS:dovecot23-backend-sqlite-2.3.10-4.22.1 SUSE Linux Enterprise Server 15-LTSS:dovecot23-devel-2.3.10-4.22.1 SUSE Linux Enterprise Server 15-LTSS:dovecot23-fts-2.3.10-4.22.1 SUSE Linux Enterprise Server 15-LTSS:dovecot23-fts-lucene-2.3.10-4.22.1 SUSE Linux Enterprise Server 15-LTSS:dovecot23-fts-solr-2.3.10-4.22.1 SUSE Linux Enterprise Server 15-LTSS:dovecot23-fts-squat-2.3.10-4.22.1 SUSE Linux Enterprise Server for SAP Applications 15:dovecot23-2.3.10-4.22.1 SUSE Linux Enterprise Server for SAP Applications 15:dovecot23-backend-mysql-2.3.10-4.22.1 SUSE Linux Enterprise Server for SAP Applications 15:dovecot23-backend-pgsql-2.3.10-4.22.1 SUSE Linux Enterprise Server for SAP Applications 15:dovecot23-backend-sqlite-2.3.10-4.22.1 SUSE Linux Enterprise Server for SAP Applications 15:dovecot23-devel-2.3.10-4.22.1 SUSE Linux Enterprise Server for SAP Applications 15:dovecot23-fts-2.3.10-4.22.1 SUSE Linux Enterprise Server for SAP Applications 15:dovecot23-fts-lucene-2.3.10-4.22.1 SUSE Linux Enterprise Server for SAP Applications 15:dovecot23-fts-solr-2.3.10-4.22.1 SUSE Linux Enterprise Server for SAP Applications 15:dovecot23-fts-squat-2.3.10-4.22.1 important 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2020/suse-su-20201379-1/ https://www.suse.com/security/cve/CVE-2020-10958.html CVE-2020-10958 https://bugzilla.suse.com/1171458 SUSE Bug 1171458 In Dovecot before 2.3.10.1, remote unauthenticated attackers can crash the lmtp or submission process by sending mail with an empty localpart. CVE-2020-10967 SUSE Linux Enterprise High Performance Computing 15-ESPOS:dovecot23-2.3.10-4.22.1 SUSE Linux Enterprise High Performance Computing 15-ESPOS:dovecot23-backend-mysql-2.3.10-4.22.1 SUSE Linux Enterprise High Performance Computing 15-ESPOS:dovecot23-backend-pgsql-2.3.10-4.22.1 SUSE Linux Enterprise High Performance Computing 15-ESPOS:dovecot23-backend-sqlite-2.3.10-4.22.1 SUSE Linux Enterprise High Performance Computing 15-ESPOS:dovecot23-devel-2.3.10-4.22.1 SUSE Linux Enterprise High Performance Computing 15-ESPOS:dovecot23-fts-2.3.10-4.22.1 SUSE Linux Enterprise High Performance Computing 15-ESPOS:dovecot23-fts-lucene-2.3.10-4.22.1 SUSE Linux Enterprise High Performance Computing 15-ESPOS:dovecot23-fts-solr-2.3.10-4.22.1 SUSE Linux Enterprise High Performance Computing 15-ESPOS:dovecot23-fts-squat-2.3.10-4.22.1 SUSE Linux Enterprise High Performance Computing 15-LTSS:dovecot23-2.3.10-4.22.1 SUSE Linux Enterprise High Performance Computing 15-LTSS:dovecot23-backend-mysql-2.3.10-4.22.1 SUSE Linux Enterprise High Performance Computing 15-LTSS:dovecot23-backend-pgsql-2.3.10-4.22.1 SUSE Linux Enterprise High Performance Computing 15-LTSS:dovecot23-backend-sqlite-2.3.10-4.22.1 SUSE Linux Enterprise High Performance Computing 15-LTSS:dovecot23-devel-2.3.10-4.22.1 SUSE Linux Enterprise High Performance Computing 15-LTSS:dovecot23-fts-2.3.10-4.22.1 SUSE Linux Enterprise High Performance Computing 15-LTSS:dovecot23-fts-lucene-2.3.10-4.22.1 SUSE Linux Enterprise High Performance Computing 15-LTSS:dovecot23-fts-solr-2.3.10-4.22.1 SUSE Linux Enterprise High Performance Computing 15-LTSS:dovecot23-fts-squat-2.3.10-4.22.1 SUSE Linux Enterprise Server 15-LTSS:dovecot23-2.3.10-4.22.1 SUSE Linux Enterprise Server 15-LTSS:dovecot23-backend-mysql-2.3.10-4.22.1 SUSE Linux Enterprise Server 15-LTSS:dovecot23-backend-pgsql-2.3.10-4.22.1 SUSE Linux Enterprise Server 15-LTSS:dovecot23-backend-sqlite-2.3.10-4.22.1 SUSE Linux Enterprise Server 15-LTSS:dovecot23-devel-2.3.10-4.22.1 SUSE Linux Enterprise Server 15-LTSS:dovecot23-fts-2.3.10-4.22.1 SUSE Linux Enterprise Server 15-LTSS:dovecot23-fts-lucene-2.3.10-4.22.1 SUSE Linux Enterprise Server 15-LTSS:dovecot23-fts-solr-2.3.10-4.22.1 SUSE Linux Enterprise Server 15-LTSS:dovecot23-fts-squat-2.3.10-4.22.1 SUSE Linux Enterprise Server for SAP Applications 15:dovecot23-2.3.10-4.22.1 SUSE Linux Enterprise Server for SAP Applications 15:dovecot23-backend-mysql-2.3.10-4.22.1 SUSE Linux Enterprise Server for SAP Applications 15:dovecot23-backend-pgsql-2.3.10-4.22.1 SUSE Linux Enterprise Server for SAP Applications 15:dovecot23-backend-sqlite-2.3.10-4.22.1 SUSE Linux Enterprise Server for SAP Applications 15:dovecot23-devel-2.3.10-4.22.1 SUSE Linux Enterprise Server for SAP Applications 15:dovecot23-fts-2.3.10-4.22.1 SUSE Linux Enterprise Server for SAP Applications 15:dovecot23-fts-lucene-2.3.10-4.22.1 SUSE Linux Enterprise Server for SAP Applications 15:dovecot23-fts-solr-2.3.10-4.22.1 SUSE Linux Enterprise Server for SAP Applications 15:dovecot23-fts-squat-2.3.10-4.22.1 important 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2020/suse-su-20201379-1/ https://www.suse.com/security/cve/CVE-2020-10967.html CVE-2020-10967 https://bugzilla.suse.com/1171456 SUSE Bug 1171456