search

hardware / mailserver

:warning: UNMAINTAINED - Simple and full-featured mail server using Docker
https://store.docker.com/community/images/hardware/mailserver
MIT License
1.29k stars 322 forks source link

Vulnerability in Dovecot #370

Closed Nutomic closed 5 years ago

Nutomic commented 5 years ago

Classification

There was a vulnerability discovered in Dovecot yesterday. You should update the image to release the fix. Details:

https://www.debian.org/security/2019/dsa-4418

I'm not sure how often new Docker builds are triggered, but it might be a good idea to do automatic, daily builds to cover cases like this one.

denji commented 5 years ago

https://seclists.org/fulldisclosure/2019/Apr/34 Product: Dovecot Vulnerability type: CWE-476 Vulnerable version: 2.3.0 - 2.3.5.2 Vulnerable component: submission-login Report confidence: Confirmed Researcher credits: Marcelo Coelho Solution status: Fixed by Vendor Fixed version: 2.3.6 Vendor notificatio: 2019-03-11 Solution date: 2019-04-23 Public disclosure: 2019-04-30Q CVE reference: CVE-2019-11494 CVSS: 7.5 (CVSS3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

navossoc commented 5 years ago

I think this issue is already fixed now.

For the stable distribution (stretch), this problem has been fixed in version 1:2.2.27-3+deb9u4.

# dovecot --version
2.2.27 (c0f36b0)
# apt list --installed | grep dovecot

WARNING: apt does not have a stable CLI interface. Use with caution in scripts.

dovecot-core/now 1:2.2.27-3+deb9u4 amd64 [installed,local]
dovecot-imapd/now 1:2.2.27-3+deb9u4 amd64 [installed,local]
dovecot-lmtpd/now 1:2.2.27-3+deb9u4 amd64 [installed,local]
dovecot-managesieved/now 1:2.2.27-3+deb9u4 amd64 [installed,local]
dovecot-mysql/now 1:2.2.27-3+deb9u4 amd64 [installed,local]
dovecot-pgsql/now 1:2.2.27-3+deb9u4 amd64 [installed,local]
dovecot-pop3d/now 1:2.2.27-3+deb9u4 amd64 [installed,local]
dovecot-sieve/now 1:2.2.27-3+deb9u4 amd64 [installed,local]