Dovecot CVE-2020-24386

subven

As Cloudron uses Dovecot, it would be a good time to update now

https://ubuntu.com/security/CVE-2020-24386

An issue was discovered in Dovecot before 2.3.13. By using IMAP IDLE, an authenticated attacker can trigger unhibernation via attacker-controlled parameters, leading to access to other users’ email messages (and path disclosure).

girish

@subven Thanks for the heads up. I just built the mail container again today because we updated haraka to 2.8.27, so we should have the dovecot patch in that for the next release.

girish

Can confirm dovecot was upgraded.

root@5e4689f53f6c:/app/haraka# dovecot --version
2.2.33.2 (d6601f4ec)

imc67

@girish, @subven mentioned An issue was discovered in Dovecot before 2.3.13

You wrote 2.2.33.2, that’s before 2.3.13

girish

@imc67 right, I think that's refering to the ubuntu 20 dovecot version. Ubuntu will backport to ubuntu 18 which is 2.2.x. The CVE link has the details of the ubuntu 18 dovecot version that is fixed (which is 1:2.2.33.2-1ubuntu4.7).

imc67

@girish

girish

Actually, it seems a better way to confirm this is the apt package version and not the dovecot version. The latest one (i.e one which will be in next release) shows this:

root@e4d2eb1cba0b:/app/haraka# apt list --installed 2>/dev/null | grep dovecot-core
dovecot-core/bionic-updates,bionic-security,now 1:2.2.33.2-1ubuntu4.7 amd64 [installed]

The current cloudron container has 1:2.2.33.2-1ubuntu4.6