CVE-2020-25275 log

Source	CVE Red Hat MITRE NVD Debian Ubuntu SUSE Alpine Mageia CVE Details CIRCL Bugs Arch Linux Red Hat Gentoo SUSE GitHub Lists oss-security full-disclosure bugtraq Misc GitHub code web search
Severity	Medium
Remote	Yes
Type	Denial of service
Description	A security issue was discovered in dovecot version 2.3.11 up to 2.3.11.3. Mail delivery/parsing crashed when the 10 000th MIME part was message/rfc822 (or if its parent was multipart/digest). This happened due to earlier MIME parsing changes for CVE-2020-12100. Malicious senders could crash dovecot repeatedly by sending/uploading messages with more than 10 000 MIME parts. The issue is fixed in dovecot version 2.3.13.

Group	Package	Affected	Fixed	Severity	Status	Ticket
AVG-1398	dovecot	2.3.11.3-3	2.3.13-1	High	Fixed

Date	Advisory	Group	Package	Severity	Type
04 Jan 2021	ASA-202101-4	AVG-1398	dovecot	High	multiple issues

References
https://dovecot.org/pipermail/dovecot-news/2021-January/000451.html https://github.com/dovecot/core/commit/67f792cb98267ee74c425772e766e7a2525c0d8f https://github.com/dovecot/core/commit/6ae93c3936fc870c313a6fdf44a0999d4129d9b8

References

https://dovecot.org/pipermail/dovecot-news/2021-January/000451.html
https://github.com/dovecot/core/commit/67f792cb98267ee74c425772e766e7a2525c0d8f
https://github.com/dovecot/core/commit/6ae93c3936fc870c313a6fdf44a0999d4129d9b8

Notes
Workaround ========== Operators can choose to disable IMAP hibernation. IMAP hibernation is not on by default. To ensure imap hibernation is disabled, make sure imap_hibernate_timeout is set to 0 or unset.

Notes

Workaround
==========

Operators can choose to disable IMAP hibernation. IMAP hibernation is not on by default. To ensure imap hibernation is disabled, make sure imap_hibernate_timeout is set to 0 or unset.