package/dovecot: security bump version to 2.3.11.3 (6db0ea91) · Commits · Arm Reference Solutions / buildroot

Commit 6db0ea91 authored Aug 18, 2020 by Bernd Kuhls Committed by Thomas Petazzoni Aug 18, 2020

package/dovecot: security bump version to 2.3.11.3

Release notes:
https://dovecot.org/pipermail/dovecot-news/2020-August/000440.html



Fixes the following CVEs:

* CVE-2020-12100: Parsing mails with a large number of MIME parts could
  have resulted in excessive CPU usage or a crash due to running out of
  stack memory.
* CVE-2020-12673: Dovecot's NTLM implementation does not correctly check
  message buffer size, which leads to reading past allocation which can
  lead to crash.
* CVE-2020-10967: lmtp/submission: Issuing the RCPT command with an
  address that has the empty quoted string as local-part causes the lmtp
  service to crash.
* CVE-2020-12674: Dovecot's RPA mechanism implementation accepts
  zero-length message, which leads to assert-crash later on.

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

parent 87fb8365

Hide whitespace changes

Inline Side-by-side

Please register or to comment