Dovecot CVE-2020-24386
-
As Cloudron uses Dovecot, it would be a good time to update now
https://ubuntu.com/security/CVE-2020-24386
An issue was discovered in Dovecot before 2.3.13. By using IMAP IDLE, an authenticated attacker can trigger unhibernation via attacker-controlled parameters, leading to access to other usersโ email messages (and path disclosure).
-
As Cloudron uses Dovecot, it would be a good time to update now
https://ubuntu.com/security/CVE-2020-24386
An issue was discovered in Dovecot before 2.3.13. By using IMAP IDLE, an authenticated attacker can trigger unhibernation via attacker-controlled parameters, leading to access to other usersโ email messages (and path disclosure).
-
Can confirm dovecot was upgraded.
root@5e4689f53f6c:/app/haraka# dovecot --version 2.2.33.2 (d6601f4ec) -
-
@imc67 right, I think that's refering to the ubuntu 20 dovecot version. Ubuntu will backport to ubuntu 18 which is 2.2.x. The CVE link has the details of the ubuntu 18 dovecot version that is fixed (which is 1:2.2.33.2-1ubuntu4.7).
-
Actually, it seems a better way to confirm this is the apt package version and not the dovecot version. The latest one (i.e one which will be in next release) shows this:
root@e4d2eb1cba0b:/app/haraka# apt list --installed 2>/dev/null | grep dovecot-core dovecot-core/bionic-updates,bionic-security,now 1:2.2.33.2-1ubuntu4.7 amd64 [installed]The current cloudron container has
1:2.2.33.2-1ubuntu4.6
Hello! It looks like you're interested in this conversation, but you don't have an account yet.
Getting fed up of having to scroll through the same posts each visit? When you register for an account, you'll always come back to exactly where you were before, and choose to be notified of new replies (either via email, or push notification). You'll also be able to save bookmarks and upvote posts to show your appreciation to other community members.
With your input, this post could be even better ๐
Register Login