FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

mail/dovecot -- multiple vulnerabilities

Affected packages
dovecot < 2.3.13

Details

VuXML ID bd98066d-4ea4-11eb-b412-e86a64caca56
Discovery 2020-08-17
Entry 2021-01-04

Aki Tuomi reports:

When imap hibernation is active, an attacker can cause Dovecot to discover file system directory structure and access other users' emails using specially crafted command. The attacker must have valid credentials to access the mail server.

Mail delivery / parsing crashed when the 10 000th MIME part was message/rfc822 (or if parent was multipart/digest). This happened due to earlier MIME parsing changes for CVE-2020-12100.

References

CVE Name CVE-2020-24386
CVE Name CVE-2020-25275
URL https://dovecot.org/pipermail/dovecot-news/2021-January/000448.html