Dovecot CVE-2020-24386
Solved
Support
-
As Cloudron uses Dovecot, it would be a good time to update now
https://ubuntu.com/security/CVE-2020-24386
An issue was discovered in Dovecot before 2.3.13. By using IMAP IDLE, an authenticated attacker can trigger unhibernation via attacker-controlled parameters, leading to access to other users’ email messages (and path disclosure).
-
-
Can confirm dovecot was upgraded.
root@5e4689f53f6c:/app/haraka# dovecot --version 2.2.33.2 (d6601f4ec)
-
-
Actually, it seems a better way to confirm this is the apt package version and not the dovecot version. The latest one (i.e one which will be in next release) shows this:
root@e4d2eb1cba0b:/app/haraka# apt list --installed 2>/dev/null | grep dovecot-core dovecot-core/bionic-updates,bionic-security,now 1:2.2.33.2-1ubuntu4.7 amd64 [installed]
The current cloudron container has
1:2.2.33.2-1ubuntu4.6