Date: Wed, 06 Jan 2021 14:26:01 +0000 From: bugzilla-noreply@freebsd.org To: ports-bugs@FreeBSD.org Subject: [Bug 252472] [vuxml] mail/dovecot: document vulerability in mail/dovecot lower than 2.3.13 (CVE-2020-24386) Message-ID: <bug-252472-7788@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D252472 Bug ID: 252472 Summary: [vuxml] mail/dovecot: document vulerability in mail/dovecot lower than 2.3.13 (CVE-2020-24386) Product: Ports & Packages Version: Latest Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: Individual Port(s) Assignee: ler@FreeBSD.org Reporter: thomas@bsdunix.ch Assignee: ler@FreeBSD.org Flags: maintainer-feedback?(ler@FreeBSD.org) There was an vulnerability in mail/dovecot 2.3.12 and prior [1]=20 There is a PR for 2.3.13 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D252415 It passes 'make validate' for me: <vuxml xmlns=3D"http://www.vuxml.org/apps/vuxml-1"> <vuln vid=3D"424db8a1-5027-11eb-a462-000e0c331e98"> <topic>mail/dovecot -- vulnerability</topic> <affects> <package> <name>dovecot</name> <range><lt>2.3.13</lt></range> </package> </affects> <description> <body xmlns=3D"http://www.w3.org/1999/xhtml"> <p>Aki Tuomi reports:</p> <blockquote cite=3D"https://dovecot.org/pipermail/dovecot-news/2021-January/000450.html= "> <p>An issue was discovered in Dovecot before 2.3.13. By using IMAP IDLE, an authenticated attacker can trigger unhibernation via attacker-controlled parameters, leading to access to other users' email messages (and path disclosure).</p> </blockquote> </body> </description> <references> =20=20=20=20=20 <url>https://dovecot.org/pipermail/dovecot-news/2021-January/000448.html</u= rl> <cvename>CVE-2020-24386</cvename> </references> <dates> <discovery>2020-08-17</discovery> <entry>2021-01-06</entry> </dates> </vuln> [1] Details about the vulnerability: https://dovecot.org/pipermail/dovecot-news/2021-January/000450.html: Open-Xchange Security Advisory 2021-01-04 Product: Dovecot Vendor: OX Software GmbH Internal reference: DOP-2009 (Bug ID) Vulnerability type: CWE-150: Improper Neutralization of Escape, Meta, or Control Sequences Vulnerable version: 2.2.26-2.3.11.3 Vulnerable component: imap Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 2.3.13 Vendor notification: 2020-08-17 Solution date: 2020-08-27 Public disclosure: 2021-01-04 CVE reference: CVE-2020-24386 CVSS: 8.2 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N) Vulnerability Details: When imap hibernation is active, an attacker can cause Dovecot to discover file system directory structure and access other users' emails using specially crafted command. The attacker must have valid credentials to access the mail server. Risk: Attacker can access other users' emails and filesystem information. Workaround: Operators can choose to disable IMAP hibernation. IMAP hibernation is not on by default. To ensure imap hibernation is disabled, make sure imap_hibernate_timeout is set to 0 or unset. Solution: Operators should update to 2.3.13 or later version. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-252472-7788>