ASA-202106-56 log original external raw

[ASA-202106-56] dovecot: information disclosure
Arch Linux Security Advisory ASA-202106-56 ========================================== Severity: High Date : 2021-06-22 CVE-ID : CVE-2021-29157 CVE-2021-33515 Package : dovecot Type : information disclosure Remote : Yes Link : https://security.archlinux.org/AVG-2087 Summary ======= The package dovecot before version 2.3.15-1 is vulnerable to information disclosure. Resolution ========== Upgrade to 2.3.15-1. # pacman -Syu "dovecot>=2.3.15-1" The problems have been fixed upstream in version 2.3.15. Workaround ========== CVE-2021-29157 can be mitigated by disabling local JWT validation in oauth2, or using a different dict driver than fs:posix. No known workaround exists for CVE-2021-33515. Description =========== - CVE-2021-29157 (information disclosure) A security issue has been found in Dovecot before version 2.3.14.1. The kid and azp fields in JWT tokens are not correctly escaped. This may be used to supply attacker controlled keys to validate tokens in some configurations. The attack requires an attacker to be able to write files to the local disk. As a result, a local attacker can login as any user and access their emails. - CVE-2021-33515 (information disclosure) A security issue has been found in Dovecot before version 2.3.14.1. An on-path attacker could inject plaintext commands before the STARTTLS negotiation that would be executed after STARTTLS finished with the client. Only the SMTP submission service is affected. As a result, an attacker can potentially steal user credentials and emails. The attacker needs to have sending permissions on the submission server (a valid username and password). Impact ====== A remote authenticated attacker or a local attacker with write access to the disk could disclose user credentials and emails. References ========== https://dovecot.org/pipermail/dovecot-news/2021-June/000461.html https://www.openwall.com/lists/oss-security/2021/06/28/1 https://github.com/dovecot/core/commit/7f06f6274437ea97142df1f64f322b3ced44d0b3 https://github.com/dovecot/core/commit/7a77e070ddb6a67fe7a40118ba3e3f9b6062a7d1 https://github.com/dovecot/core/commit/bae4e44596d6548322665d242b055f44fe1dc58d https://dovecot.org/pipermail/dovecot-news/2021-June/000462.html https://www.openwall.com/lists/oss-security/2021/06/28/2 https://github.com/dovecot/core/commit/65bd1a27a361545c9ccf405b955c72a9c4d29b38 https://security.archlinux.org/CVE-2021-29157 https://security.archlinux.org/CVE-2021-33515

[ASA-202106-56] dovecot: information disclosure

Arch Linux Security Advisory ASA-202106-56 ========================================== Severity: High Date : 2021-06-22 CVE-ID : CVE-2021-29157 CVE-2021-33515 Package : dovecot Type : information disclosure Remote : Yes Link : https://security.archlinux.org/AVG-2087 Summary ======= The package dovecot before version 2.3.15-1 is vulnerable to information disclosure. Resolution ========== Upgrade to 2.3.15-1. # pacman -Syu "dovecot>=2.3.15-1" The problems have been fixed upstream in version 2.3.15. Workaround ========== CVE-2021-29157 can be mitigated by disabling local JWT validation in oauth2, or using a different dict driver than fs:posix. No known workaround exists for CVE-2021-33515. Description =========== - CVE-2021-29157 (information disclosure) A security issue has been found in Dovecot before version 2.3.14.1. The kid and azp fields in JWT tokens are not correctly escaped. This may be used to supply attacker controlled keys to validate tokens in some configurations. The attack requires an attacker to be able to write files to the local disk. As a result, a local attacker can login as any user and access their emails. - CVE-2021-33515 (information disclosure) A security issue has been found in Dovecot before version 2.3.14.1. An on-path attacker could inject plaintext commands before the STARTTLS negotiation that would be executed after STARTTLS finished with the client. Only the SMTP submission service is affected. As a result, an attacker can potentially steal user credentials and emails. The attacker needs to have sending permissions on the submission server (a valid username and password). Impact ====== A remote authenticated attacker or a local attacker with write access to the disk could disclose user credentials and emails. References ========== https://dovecot.org/pipermail/dovecot-news/2021-June/000461.html https://www.openwall.com/lists/oss-security/2021/06/28/1 https://github.com/dovecot/core/commit/7f06f6274437ea97142df1f64f322b3ced44d0b3 https://github.com/dovecot/core/commit/7a77e070ddb6a67fe7a40118ba3e3f9b6062a7d1 https://github.com/dovecot/core/commit/bae4e44596d6548322665d242b055f44fe1dc58d https://dovecot.org/pipermail/dovecot-news/2021-June/000462.html https://www.openwall.com/lists/oss-security/2021/06/28/2 https://github.com/dovecot/core/commit/65bd1a27a361545c9ccf405b955c72a9c4d29b38 https://security.archlinux.org/CVE-2021-29157 https://security.archlinux.org/CVE-2021-33515