Bugzilla – Bug 1180406
VUL-1: CVE-2020-25275: dovecot22,dovecot23: Mail delivery / parsing crashed when the 10 000th MIME part was message/rfc822
Last modified: 2021-09-30 11:54:39 UTC
This bug (CVE-2020-25275) was introduced with the fix for CVE-2020-12100, which we have not applied yet: https://bugzilla.suse.com/show_bug.cgi?id=1174920 Technically we're not affected, but I'm setting the tracking to "affected" nevertheless, so that we don't miss it, once bsc#1174920 is fixed. SUSE:SLE-12:Update dovecot22 Affected SUSE:SLE-15:Update dovecot23 Affected SUSE:SLE-15-SP1:Update dovecot23 Affected SUSE:SLE-15-SP2:Update dovecot23 Affected
via oss-security: Open-Xchange Security Advisory 2021-01-04 Product: Dovecot Vendor: OX Software GmbH Internal reference: DOV-4113 (Bug ID) Vulnerability type: CWE-20: Improper Input Validation Vulnerable version: 2.3.11-2.3.11.3 Vulnerable component: lda, lmtp, imap Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 2.3.13 Vendor notification: 2020-09-10 Solution date: 2020-09-14 Public disclosure: 2021-01-04 CVE reference: CVE-2020-25275 CVSS: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) Researcher credit: Innokentii Sennovskiy (Rumata888) from BI.ZONE Vulnerability Details: Mail delivery / parsing crashed when the 10 000th MIME part was message/rfc822 (or if parent was multipart/digest). This happened due to earlier MIME parsing changes for CVE-2020-12100. Risk: Malicious sender can crash dovecot repeatedly by sending / uploading message with more than 10 000 MIME parts. Workaround: These are usually dropped by MTA, where the mitigation can also be applied. Solution: Operators should update to 2.3.13 or later version.
SUSE-SU-2021:0028-1: An update that fixes 5 vulnerabilities is now available. Category: security (important) Bug References: 1174920,1174922,1174923,1180405,1180406 CVE References: CVE-2020-12100,CVE-2020-12673,CVE-2020-12674,CVE-2020-24386,CVE-2020-25275 JIRA References: Sources used: SUSE Linux Enterprise Module for Server Applications 15-SP2 (src): dovecot23-2.3.11.3-17.5.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2021:0029-1: An update that fixes three vulnerabilities is now available. Category: security (important) Bug References: 1174920,1180405,1180406 CVE References: CVE-2020-12100,CVE-2020-24386,CVE-2020-25275 JIRA References: Sources used: SUSE Linux Enterprise Server for SAP 15 (src): dovecot23-2.3.11.3-4.32.1 SUSE Linux Enterprise Server 15-LTSS (src): dovecot23-2.3.11.3-4.32.1 SUSE Linux Enterprise High Performance Computing 15-LTSS (src): dovecot23-2.3.11.3-4.32.1 SUSE Linux Enterprise High Performance Computing 15-ESPOS (src): dovecot23-2.3.11.3-4.32.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2021:0027-1: An update that fixes three vulnerabilities is now available. Category: security (important) Bug References: 1174920,1180405,1180406 CVE References: CVE-2020-12100,CVE-2020-24386,CVE-2020-25275 JIRA References: Sources used: SUSE Linux Enterprise Module for Server Applications 15-SP1 (src): dovecot23-2.3.11.3-21.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2021:0026-1: An update that fixes three vulnerabilities is now available. Category: security (important) Bug References: 1174920,1180405,1180406 CVE References: CVE-2020-12100,CVE-2020-24386,CVE-2020-25275 JIRA References: Sources used: openSUSE Leap 15.2 (src): dovecot23-2.3.11.3-lp152.2.6.1
openSUSE-SU-2021:0072-1: An update that fixes three vulnerabilities is now available. Category: security (important) Bug References: 1174920,1180405,1180406 CVE References: CVE-2020-12100,CVE-2020-24386,CVE-2020-25275 JIRA References: Sources used: openSUSE Leap 15.1 (src): dovecot23-2.3.11.3-lp151.2.15.1
SUSE:SLE-12:Update/dovecot22 is still flagged as affected, can you please submit the fix?
CVE-2020-12100 (bsc#1174920) was declared WONTFIX for SLE-12/dovecot22, which in turn means that SLE-12/dovecot22 is not affected by CVE-2020-25275, which would have been introduced by patching the former.