Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
Skins
  • Light
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor
  • Default (No Skin)
  • No Skin
Collapse

Cloudron Forum
Apps | Demo | Docs | Install

Dovecot CVE-2020-24386

Scheduled Pinned Locked Moved Solved Support
dovecotmailsecurity
7 Posts 3 Posters 376 Views
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • subvenS Offline
    subvenS Offline
    subven
    wrote on last edited by girish
    #1

    As Cloudron uses Dovecot, it would be a good time to update now 🙂

    https://ubuntu.com/security/CVE-2020-24386

    An issue was discovered in Dovecot before 2.3.13. By using IMAP IDLE, an authenticated attacker can trigger unhibernation via attacker-controlled parameters, leading to access to other users’ email messages (and path disclosure).

    girishG 1 Reply Last reply
    0
  • girishG Offline
    girishG Offline
    girish Staff
    replied to subven on last edited by
    #2

    @subven Thanks for the heads up. I just built the mail container again today because we updated haraka to 2.8.27, so we should have the dovecot patch in that for the next release.

    1 Reply Last reply
    1
  • girishG Offline
    girishG Offline
    girish Staff
    wrote on last edited by
    #3

    Can confirm dovecot was upgraded.

    root@5e4689f53f6c:/app/haraka# dovecot --version
2.2.33.2 (d6601f4ec)
    imc67I 1 Reply Last reply
    1
  • imc67I Offline
    imc67I Offline
    imc67 translator
    replied to girish on last edited by
    #4

    @girish, @subven mentioned An issue was discovered in Dovecot before 2.3.13

    You wrote 2.2.33.2, that’s before 2.3.13 🙂

    girishG 1 Reply Last reply
    0
  • girishG Offline
    girishG Offline
    girish Staff
    replied to imc67 on last edited by
    #5

    @imc67 right, I think that's refering to the ubuntu 20 dovecot version. Ubuntu will backport to ubuntu 18 which is 2.2.x. The CVE link has the details of the ubuntu 18 dovecot version that is fixed (which is 1:2.2.33.2-1ubuntu4.7).

    imc67I 1 Reply Last reply
    1
  • imc67I Offline
    imc67I Offline
    imc67 translator
    replied to girish on last edited by
    #6

    @girish 👍

    1 Reply Last reply
    0
  • girishG Offline
    girishG Offline
    girish Staff
    wrote on last edited by
    #7

    Actually, it seems a better way to confirm this is the apt package version and not the dovecot version. The latest one (i.e one which will be in next release) shows this:

    root@e4d2eb1cba0b:/app/haraka# apt list --installed 2>/dev/null | grep dovecot-core
dovecot-core/bionic-updates,bionic-security,now 1:2.2.33.2-1ubuntu4.7 amd64 [installed]

    The current cloudron container has 1:2.2.33.2-1ubuntu4.6

    1 Reply Last reply
    1

  • Login
  • Don't have an account? Register
  • Login or register to search.
  • First post
    Last post
0
  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
  • Login
  • Don't have an account? Register
  • Login or register to search.