Path to this page:
Subject: CVS commit: [pkgsrc-2020Q1] pkgsrc/mail/dovecot2
From: Benny Siegert
Date: 2020-05-20 21:15:13
Message id: 20200520191513.CF60AFB27@cvs.NetBSD.org
Log Message:
Pullup ticket #6203 - requested by taca
mail/dovecot2: security fix
Revisions pulled up:
- mail/dovecot2/Makefile.common 1.40
- mail/dovecot2/distinfo 1.104
---
Module Name: pkgsrc
Committed By: taca
Date: Mon May 18 14:20:47 UTC 2020
Modified Files:
pkgsrc/mail/dovecot2: Makefile.common distinfo
pkgsrc/mail/dovecot2-sqlite: Makefile
Log Message:
mail/dovecot2: update to 2.3.10.1
Update dovecot2 to 2.3.10.1.
v2.3.10.1 2020-05-18 Aki Tuomi <aki.tuomi@open-xchange.com>
- CVE-2020-10957: lmtp/submission: A client can crash the server by
sending a NOOP command with an invalid string parameter. This occurs
particularly for a parameter that doesn't start with a double quote.
This applies to all SMTP services, including submission-login, which
makes it possible to crash the submission service without
authentication.
- CVE-2020-10958: lmtp/submission: Sending many invalid or unknown
commands can cause the server to access freed memory, which can lead
to a server crash. This happens when the server closes the connection
with a "421 Too many invalid commands" error. The bad command limit
depends on the service (lmtp or submission) and varies between 10 to
20 bad commands.
- CVE-2020-10967: lmtp/submission: Issuing the RCPT command with an
address that has the empty quoted string as local-part causes the lmtp
service to crash.
Files: