Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


    Cloudron Forum

    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular

    Solved Dovecot CVE-2020-24386

    Support
    dovecot mail security
    3
    7
    362
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • subven
      subven last edited by girish

      As Cloudron uses Dovecot, it would be a good time to update now 🙂

      https://ubuntu.com/security/CVE-2020-24386

      An issue was discovered in Dovecot before 2.3.13. By using IMAP IDLE, an authenticated attacker can trigger unhibernation via attacker-controlled parameters, leading to access to other users’ email messages (and path disclosure).

      girish 1 Reply Last reply Reply Quote 0
      • girish
        girish Staff @subven last edited by

        @subven Thanks for the heads up. I just built the mail container again today because we updated haraka to 2.8.27, so we should have the dovecot patch in that for the next release.

        1 Reply Last reply Reply Quote 1
        • girish
          girish Staff last edited by

          Can confirm dovecot was upgraded.

          root@5e4689f53f6c:/app/haraka# dovecot --version
          2.2.33.2 (d6601f4ec)
          
          imc67 1 Reply Last reply Reply Quote 1
          • imc67
            imc67 translator @girish last edited by

            @girish, @subven mentioned An issue was discovered in Dovecot before 2.3.13

            You wrote 2.2.33.2, that’s before 2.3.13 🙂

            girish 1 Reply Last reply Reply Quote 0
            • girish
              girish Staff @imc67 last edited by

              @imc67 right, I think that's refering to the ubuntu 20 dovecot version. Ubuntu will backport to ubuntu 18 which is 2.2.x. The CVE link has the details of the ubuntu 18 dovecot version that is fixed (which is 1:2.2.33.2-1ubuntu4.7).

              imc67 1 Reply Last reply Reply Quote 1
              • imc67
                imc67 translator @girish last edited by

                @girish 👍

                1 Reply Last reply Reply Quote 0
                • girish
                  girish Staff last edited by

                  Actually, it seems a better way to confirm this is the apt package version and not the dovecot version. The latest one (i.e one which will be in next release) shows this:

                  root@e4d2eb1cba0b:/app/haraka# apt list --installed 2>/dev/null | grep dovecot-core
                  dovecot-core/bionic-updates,bionic-security,now 1:2.2.33.2-1ubuntu4.7 amd64 [installed]
                  

                  The current cloudron container has 1:2.2.33.2-1ubuntu4.6

                  1 Reply Last reply Reply Quote 1
                  • First post
                    Last post
                  Powered by NodeBB