Bugzilla – Bug 1174920
VUL-0: CVE-2020-12100: dovecot22,dovecot23: nested MIME parts leads to resource exhaustion
Last modified: 2022-10-23 16:03:11 UTC
Created attachment 840371 [details] patches Affected product: Dovecot IMAP server Internal reference: DOP-1849 (Bug ID) Vulnerability type: Uncontrolled recursion (CWE-674) Vulnerable version: 2.0 Fixed versions: 2.3.11 Vulnerable component: submission, lmtp, lda Report confidence: Confirmed Solution status: Fix available Vendor notification: 2020-04-23 CVE reference: CVE-2020-12100 CVSS: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) Vulnerability Details: Receiving mail with deeply nested MIME parts leads to resource exhaustion as Dovecot attempts to parse it. Risk: Malicious actor can cause denial of service to mail delivery by repeatedly sending mails with bad content. Workaround: Limit MIME structures in MTA. Solution: Upgrade to fixed version.
I've problems with a dovecot vul bug: https://bugzilla.suse.com/show_bug.cgi?id=1174920 I can apply the proposed patches only on SLE15 and SLE15_SP1 (dovecot23) not on SLE12 (dovecot22) . But the patch seems to be buggy. The tests can not be build- https://build.suse.de/package/live_build_log/home:varkoly:branches:OBS_Maintained:dovecot23/dovecot23.SUSE_SLE-15_Update/SUSE_SLE-15_Update/x86_64
This is an autogenerated message for OBS integration: This bug (1174920) was mentioned in https://build.opensuse.org/request/show/826276 Factory / dovecot23
References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-12100 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12100 https://www.debian.org/security/2020/dsa-4745 https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-12100.html https://bugzilla.redhat.com/show_bug.cgi?id=1866309
upstream git commits: d4bb43a08ab9ecfab7249a17279e5f773c8abaad 6d77e00e4d170efde908591dc5871a8e48ea844b 926742088a3c66c11099386b2c6e80999c29f405 e5830ae88531a32db36c97ebf122cba9a39cf801 cb00e21fd70aae49453aedc1bb33c0765ab98667 5ecadd30746d91854b5aa484feff9c70ea91c20b 24f0bfefdbccaaaaab9f52be428648ec3f1c34d3 02c7c6dbb51748a5af8b0c70a499a3ab17de8490 729941c996ee0b0ede40f462c9e34ceb6a6bd049 8dbc754a31fbf7684e858aa1fb633b8dfbeb13cf a175d654c3bc4d57641b871bbff99c10799b7d67 a676cb539fc1545c58d1341baa2f875f7b694133 0f46088a1af7b493db76a1d97ef4ecc6bb41f5a4 7868f5f49be91fe51795b477a5440e69c1540716 be53a118e789886efcdd57c513651c5148651161 19193f40b1d74e8d4ef88121992b4a61d84773e3
SUSE-SU-2021:0028-1: An update that fixes 5 vulnerabilities is now available. Category: security (important) Bug References: 1174920,1174922,1174923,1180405,1180406 CVE References: CVE-2020-12100,CVE-2020-12673,CVE-2020-12674,CVE-2020-24386,CVE-2020-25275 JIRA References: Sources used: SUSE Linux Enterprise Module for Server Applications 15-SP2 (src): dovecot23-2.3.11.3-17.5.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2021:0029-1: An update that fixes three vulnerabilities is now available. Category: security (important) Bug References: 1174920,1180405,1180406 CVE References: CVE-2020-12100,CVE-2020-24386,CVE-2020-25275 JIRA References: Sources used: SUSE Linux Enterprise Server for SAP 15 (src): dovecot23-2.3.11.3-4.32.1 SUSE Linux Enterprise Server 15-LTSS (src): dovecot23-2.3.11.3-4.32.1 SUSE Linux Enterprise High Performance Computing 15-LTSS (src): dovecot23-2.3.11.3-4.32.1 SUSE Linux Enterprise High Performance Computing 15-ESPOS (src): dovecot23-2.3.11.3-4.32.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2021:0027-1: An update that fixes three vulnerabilities is now available. Category: security (important) Bug References: 1174920,1180405,1180406 CVE References: CVE-2020-12100,CVE-2020-24386,CVE-2020-25275 JIRA References: Sources used: SUSE Linux Enterprise Module for Server Applications 15-SP1 (src): dovecot23-2.3.11.3-21.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2021:0026-1: An update that fixes three vulnerabilities is now available. Category: security (important) Bug References: 1174920,1180405,1180406 CVE References: CVE-2020-12100,CVE-2020-24386,CVE-2020-25275 JIRA References: Sources used: openSUSE Leap 15.2 (src): dovecot23-2.3.11.3-lp152.2.6.1
openSUSE-SU-2021:0072-1: An update that fixes three vulnerabilities is now available. Category: security (important) Bug References: 1174920,1180405,1180406 CVE References: CVE-2020-12100,CVE-2020-24386,CVE-2020-25275 JIRA References: Sources used: openSUSE Leap 15.1 (src): dovecot23-2.3.11.3-lp151.2.15.1
Fixed
Can/need not be fixed for dovecot22