Issued:
2020-09-03
Updated:
2020-09-03

RHSA-2020:3617 - Security Advisory

Synopsis

Important: dovecot security update

Type/Severity

Security Advisory: Important

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for dovecot is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Dovecot is an IMAP server for Linux and other UNIX-like systems, written primarily with security in mind. It also contains a small POP3 server, and supports e-mail in either the maildir or mbox format. The SQL drivers and authentication plug-ins are provided as subpackages.

Security Fix(es):

  • dovecot: Resource exhaustion via deeply nested MIME parts (CVE-2020-12100)
  • dovecot: Out of bound reads in dovecot NTLM implementation (CVE-2020-12673)
  • dovecot: Crash due to assert in RPA implementation (CVE-2020-12674)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

  • Red Hat Enterprise Linux Server 7 x86_64
  • Red Hat Enterprise Linux Workstation 7 x86_64
  • Red Hat Enterprise Linux for IBM z Systems 7 s390x
  • Red Hat Enterprise Linux for Power, big endian 7 ppc64
  • Red Hat Enterprise Linux for Power, little endian 7 ppc64le

Fixes

  • BZ - 1866309 - CVE-2020-12100 dovecot: Resource exhaustion via deeply nested MIME parts
  • BZ - 1866313 - CVE-2020-12673 dovecot: Out of bound reads in dovecot NTLM implementation
  • BZ - 1866317 - CVE-2020-12674 dovecot: Crash due to assert in RPA implementation

Red Hat Enterprise Linux Server 7

SRPM
dovecot-2.2.36-6.el7_8.1.src.rpm SHA-256: a51d8696cb662181c6c73b14e0d212d547ec9e11d57a7ab36e68384e63192759
x86_64
dovecot-2.2.36-6.el7_8.1.i686.rpm SHA-256: 1950f2634dfd31252af071519077c0de832aea91b644c99f23286e0e09ba9718
dovecot-2.2.36-6.el7_8.1.x86_64.rpm SHA-256: cf56594c8bbddce555f9345b80f13073ea42f810276fe80fb5619b315af8e945
dovecot-debuginfo-2.2.36-6.el7_8.1.i686.rpm SHA-256: 926dfa7b37c9a553ca4ecf095b50d705b7ff77fb863971de059ce43a3dd0ff6f
dovecot-debuginfo-2.2.36-6.el7_8.1.x86_64.rpm SHA-256: 18dd2d98d95525bfda8eebada1fd15331b1f2187f639f78dea270c21acf88944
dovecot-debuginfo-2.2.36-6.el7_8.1.x86_64.rpm SHA-256: 18dd2d98d95525bfda8eebada1fd15331b1f2187f639f78dea270c21acf88944
dovecot-devel-2.2.36-6.el7_8.1.x86_64.rpm SHA-256: 7ab508c5c4277fd93a01871588ebe59bb2ac2d19764bbcefb060785c3f7b0606
dovecot-mysql-2.2.36-6.el7_8.1.x86_64.rpm SHA-256: 0a500792c5e1e8ebc67e1596a0f9c3d1616ee142a35baf4a395c37c653631cc9
dovecot-pgsql-2.2.36-6.el7_8.1.x86_64.rpm SHA-256: da7d02b6302022114a017d1915e3be389506972ec0c3067c84c1109cb41630bd
dovecot-pigeonhole-2.2.36-6.el7_8.1.x86_64.rpm SHA-256: 99052cebdb48923b28174850a41e300abbdc450dbe3de4675cfb28c8bf30f828

Red Hat Enterprise Linux Workstation 7

SRPM
dovecot-2.2.36-6.el7_8.1.src.rpm SHA-256: a51d8696cb662181c6c73b14e0d212d547ec9e11d57a7ab36e68384e63192759
x86_64
dovecot-2.2.36-6.el7_8.1.i686.rpm SHA-256: 1950f2634dfd31252af071519077c0de832aea91b644c99f23286e0e09ba9718
dovecot-2.2.36-6.el7_8.1.x86_64.rpm SHA-256: cf56594c8bbddce555f9345b80f13073ea42f810276fe80fb5619b315af8e945
dovecot-debuginfo-2.2.36-6.el7_8.1.i686.rpm SHA-256: 926dfa7b37c9a553ca4ecf095b50d705b7ff77fb863971de059ce43a3dd0ff6f
dovecot-debuginfo-2.2.36-6.el7_8.1.x86_64.rpm SHA-256: 18dd2d98d95525bfda8eebada1fd15331b1f2187f639f78dea270c21acf88944
dovecot-debuginfo-2.2.36-6.el7_8.1.x86_64.rpm SHA-256: 18dd2d98d95525bfda8eebada1fd15331b1f2187f639f78dea270c21acf88944
dovecot-devel-2.2.36-6.el7_8.1.x86_64.rpm SHA-256: 7ab508c5c4277fd93a01871588ebe59bb2ac2d19764bbcefb060785c3f7b0606
dovecot-mysql-2.2.36-6.el7_8.1.x86_64.rpm SHA-256: 0a500792c5e1e8ebc67e1596a0f9c3d1616ee142a35baf4a395c37c653631cc9
dovecot-pgsql-2.2.36-6.el7_8.1.x86_64.rpm SHA-256: da7d02b6302022114a017d1915e3be389506972ec0c3067c84c1109cb41630bd
dovecot-pigeonhole-2.2.36-6.el7_8.1.x86_64.rpm SHA-256: 99052cebdb48923b28174850a41e300abbdc450dbe3de4675cfb28c8bf30f828

Red Hat Enterprise Linux for IBM z Systems 7

SRPM
dovecot-2.2.36-6.el7_8.1.src.rpm SHA-256: a51d8696cb662181c6c73b14e0d212d547ec9e11d57a7ab36e68384e63192759
s390x
dovecot-2.2.36-6.el7_8.1.s390.rpm SHA-256: 0b36d3fe91ed458f48b192fb66bbb521d2273e90187110443fa1a6d648a91007
dovecot-2.2.36-6.el7_8.1.s390x.rpm SHA-256: 11c254aa9f71375fede082b8281d4b8863491aeafde283bd1a3a3caee512333e
dovecot-debuginfo-2.2.36-6.el7_8.1.s390.rpm SHA-256: e35599e39d1620b05cc86ad8e72098adf6c30c9717535f20d959f14b94b05bb5
dovecot-debuginfo-2.2.36-6.el7_8.1.s390x.rpm SHA-256: d44e5b73afaebfca2f5c4b31cfcc1a15be6aa0ef2eed35e007548d3a5352ad5c
dovecot-debuginfo-2.2.36-6.el7_8.1.s390x.rpm SHA-256: d44e5b73afaebfca2f5c4b31cfcc1a15be6aa0ef2eed35e007548d3a5352ad5c
dovecot-devel-2.2.36-6.el7_8.1.s390x.rpm SHA-256: 6de2282065f915c7daa36e536531de950d5d8748139a86ec7be26ec16e8cbb9f
dovecot-mysql-2.2.36-6.el7_8.1.s390x.rpm SHA-256: ef9bdc8469e308d419d916df421451f2f7738d404e29fc5b8a9f777b60567137
dovecot-pgsql-2.2.36-6.el7_8.1.s390x.rpm SHA-256: ccc1116ba4e8ac60c25e8f57fd192806f7f3f2ffbeeefef8fbfd26a56b8559c7
dovecot-pigeonhole-2.2.36-6.el7_8.1.s390x.rpm SHA-256: ca82340497a74bbf9949771639110fc8a6db47a9449cc0bbd6436e224d566170

Red Hat Enterprise Linux for Power, big endian 7

SRPM
dovecot-2.2.36-6.el7_8.1.src.rpm SHA-256: a51d8696cb662181c6c73b14e0d212d547ec9e11d57a7ab36e68384e63192759
ppc64
dovecot-2.2.36-6.el7_8.1.ppc.rpm SHA-256: 6e7969949eacaed97b01c1db0c920fb83c6249d5711f7d486fa2cbe6e649c311
dovecot-2.2.36-6.el7_8.1.ppc64.rpm SHA-256: 5ce1a0e1497faef832b599a67b056f2f0c0c9dcf6e2724c77171c4880f637a2b
dovecot-debuginfo-2.2.36-6.el7_8.1.ppc.rpm SHA-256: bf6c08657d2121278cc6d67e1b30de953facf4a6639467e51565d5ced0762e10
dovecot-debuginfo-2.2.36-6.el7_8.1.ppc64.rpm SHA-256: 94b52c983a4bee0fbf7b9d2afe7653db0b6f2b6d2d088d578afb4ef1c1bb0da9
dovecot-debuginfo-2.2.36-6.el7_8.1.ppc64.rpm SHA-256: 94b52c983a4bee0fbf7b9d2afe7653db0b6f2b6d2d088d578afb4ef1c1bb0da9
dovecot-devel-2.2.36-6.el7_8.1.ppc64.rpm SHA-256: 785b47aa23b68e91c27db6f1b96b9bceea193da2be7128c26f925e7bb7cf4421
dovecot-mysql-2.2.36-6.el7_8.1.ppc64.rpm SHA-256: 7c166418792c31e2349ae0b445e2b824ce0a20d0131101a272d77335a55139e1
dovecot-pgsql-2.2.36-6.el7_8.1.ppc64.rpm SHA-256: 79683f764884673ac136cbf2c618c29bc5da2df51fa7cb0352e0df67e4217a95
dovecot-pigeonhole-2.2.36-6.el7_8.1.ppc64.rpm SHA-256: 6fb4b372cab4d98ce8f1447b5e4de11f567e4e7218f80de01eeb81d28af68f0c

Red Hat Enterprise Linux for Power, little endian 7

SRPM
dovecot-2.2.36-6.el7_8.1.src.rpm SHA-256: a51d8696cb662181c6c73b14e0d212d547ec9e11d57a7ab36e68384e63192759
ppc64le
dovecot-2.2.36-6.el7_8.1.ppc64le.rpm SHA-256: c5aa8bc3702b0415b243b271fd0a311f28613b92ddb3ae640410944e46d86842
dovecot-debuginfo-2.2.36-6.el7_8.1.ppc64le.rpm SHA-256: 8917d29ffe6c4e48ceed0a38fec4544e6e8cca36776bfe7453a78786486242de
dovecot-debuginfo-2.2.36-6.el7_8.1.ppc64le.rpm SHA-256: 8917d29ffe6c4e48ceed0a38fec4544e6e8cca36776bfe7453a78786486242de
dovecot-devel-2.2.36-6.el7_8.1.ppc64le.rpm SHA-256: e9df7353501201e54f7d81c5b51a4482d9871aac54378d03df1bad8d915ab7dc
dovecot-mysql-2.2.36-6.el7_8.1.ppc64le.rpm SHA-256: 259385302d802100f06ec47e23a62f07b960bde901cc0e888df4349680e63899
dovecot-pgsql-2.2.36-6.el7_8.1.ppc64le.rpm SHA-256: e58734bbc291fb3086e315c86fb0f426196013b65382da801262ad55c30c1021
dovecot-pigeonhole-2.2.36-6.el7_8.1.ppc64le.rpm SHA-256: 31b55fa13615e0186314bffc3fbb3924f243359ebdd20175fe5752cef64a7ad0

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.