SOLVED Dovecot CVE-2020-24386
-
As Cloudron uses Dovecot, it would be a good time to update now
https://ubuntu.com/security/CVE-2020-24386
An issue was discovered in Dovecot before 2.3.13. By using IMAP IDLE, an authenticated attacker can trigger unhibernation via attacker-controlled parameters, leading to access to other usersโ email messages (and path disclosure).
-
@subven Thanks for the heads up. I just built the mail container again today because we updated haraka to 2.8.27, so we should have the dovecot patch in that for the next release.
-
Can confirm dovecot was upgraded.
root@5e4689f53f6c:/app/haraka# dovecot --version 2.2.33.2 (d6601f4ec) -
@girish, @subven mentioned
An issue was discovered in Dovecot before 2.3.13You wrote 2.2.33.2, thatโs before 2.3.13
-
@imc67 right, I think that's refering to the ubuntu 20 dovecot version. Ubuntu will backport to ubuntu 18 which is 2.2.x. The CVE link has the details of the ubuntu 18 dovecot version that is fixed (which is 1:2.2.33.2-1ubuntu4.7).
-
-
Actually, it seems a better way to confirm this is the apt package version and not the dovecot version. The latest one (i.e one which will be in next release) shows this:
root@e4d2eb1cba0b:/app/haraka# apt list --installed 2>/dev/null | grep dovecot-core dovecot-core/bionic-updates,bionic-security,now 1:2.2.33.2-1ubuntu4.7 amd64 [installed]The current cloudron container has
1:2.2.33.2-1ubuntu4.6
