Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


Skip to content
  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
  • Search
Skins
  • Light
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor
  • Default (No Skin)
  • No Skin
Collapse
Brand Logo

Cloudron Forum
Apps | Demo | Docs | Install
  1. Cloudron Forum
  2. Support
  3. Dovecot CVE-2020-24386

Dovecot CVE-2020-24386

Scheduled Pinned Locked Moved Solved Support
dovecotmailsecurity
7 Posts 3 Posters 841 Views
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • subvenS Offline
    subvenS Offline
    subven
    wrote on last edited by girish
    #1

    As Cloudron uses Dovecot, it would be a good time to update now 🙂

    https://ubuntu.com/security/CVE-2020-24386

    An issue was discovered in Dovecot before 2.3.13. By using IMAP IDLE, an authenticated attacker can trigger unhibernation via attacker-controlled parameters, leading to access to other users’ email messages (and path disclosure).

    girishG 1 Reply Last reply
    0
    • girishG Offline
      girishG Offline
      girish Staff
      replied to subven on last edited by
      #2

      @subven Thanks for the heads up. I just built the mail container again today because we updated haraka to 2.8.27, so we should have the dovecot patch in that for the next release.

      1 Reply Last reply
      1
      • girishG Offline
        girishG Offline
        girish Staff
        wrote on last edited by
        #3

        Can confirm dovecot was upgraded.

        root@5e4689f53f6c:/app/haraka# dovecot --version
2.2.33.2 (d6601f4ec)
        imc67I 1 Reply Last reply
        1
        • imc67I Offline
          imc67I Offline
          imc67 translator
          replied to girish on last edited by
          #4

          @girish, @subven mentioned An issue was discovered in Dovecot before 2.3.13

          You wrote 2.2.33.2, that’s before 2.3.13 🙂

          girishG 1 Reply Last reply
          0
          • girishG Offline
            girishG Offline
            girish Staff
            replied to imc67 on last edited by
            #5

            @imc67 right, I think that's refering to the ubuntu 20 dovecot version. Ubuntu will backport to ubuntu 18 which is 2.2.x. The CVE link has the details of the ubuntu 18 dovecot version that is fixed (which is 1:2.2.33.2-1ubuntu4.7).

            imc67I 1 Reply Last reply
            1
            • imc67I Offline
              imc67I Offline
              imc67 translator
              replied to girish on last edited by
              #6

              @girish 👍

              1 Reply Last reply
              0
              • girishG Offline
                girishG Offline
                girish Staff
                wrote on last edited by
                #7

                Actually, it seems a better way to confirm this is the apt package version and not the dovecot version. The latest one (i.e one which will be in next release) shows this:

                root@e4d2eb1cba0b:/app/haraka# apt list --installed 2>/dev/null | grep dovecot-core
dovecot-core/bionic-updates,bionic-security,now 1:2.2.33.2-1ubuntu4.7 amd64 [installed]

                The current cloudron container has 1:2.2.33.2-1ubuntu4.6

                1 Reply Last reply
                1

                • Login
                • Don't have an account? Register
                • Login or register to search.
                • First post
                  Last post
                0
                • Categories
                • Recent
                • Tags
                • Popular
                • Bookmarks
                • Search