HomeFreeBSD
Diffusion FreeBSD ports repository rP535778

mail/dovecot: Upgrade to 2.3.10.1, fixing multiple vulnerabilities.
rP535778
Actions

Description

mail/dovecot: Upgrade to 2.3.10.1, fixing multiple vulnerabilities.

  • CVE-2020-10957: lmtp/submission: A client can crash the server by sending a NOOP command with an invalid string parameter. This occurs particularly for a parameter that doesn't start with a double quote. This applies to all SMTP services, including submission-login, which makes it possible to crash the submission service without authentication.
  • CVE-2020-10958: lmtp/submission: Sending many invalid or unknown commands can cause the server to access freed memory, which can lead to a server crash. This happens when the server closes the connection with a "421 Too many invalid commands" error. The bad command limit depends on the service (lmtp or submission) and varies between 10 to 20 bad commands.
  • CVE-2020-10967: lmtp/submission: Issuing the RCPT command with an address that has the empty quoted string as local-part causes the lmtp service to crash.

Clean up some REINPLACE warnings whilst we're here.

MFH: 2020Q2
Security: 37d106a8-15a4-483e-8247-fcb68b16eaf8
Security: CVE-2020-10957
Security: CVE-2020-10958
Security: CVE-2020-10967

Details

Provenance
lerAuthored on
Parents
rP535777: devel/py-pycparser: update to 2.20
Branches
Unknown
Tags
Unknown

Changes (2)

PathSize
head/
mail/
dovecot/

rP535778

View Options

head/mail/dovecot/Makefile

Loading...
View Options

head/mail/dovecot/distinfo

Loading...