UbuntuUpdates.org

Package "dovecot-lmtpd"

Name: dovecot-lmtpd

Description:

secure POP3/IMAP server - LMTP server

Latest version: 1:2.2.22-1ubuntu2.14
Release: xenial (16.04)
Level: security
Repository: universe
Head package: dovecot
Homepage: http://dovecot.org/

Links


Download "dovecot-lmtpd"


Other versions of "dovecot-lmtpd" in Xenial

Repository Area Version
base universe 1:2.2.22-1ubuntu2
updates universe 1:2.2.22-1ubuntu2.14

Changelog

Version: 1:2.2.22-1ubuntu2.9 2019-02-05 15:07:01 UTC

  dovecot (1:2.2.22-1ubuntu2.9) xenial-security; urgency=medium

  * SECURITY UPDATE: incorrect client certificate validation
    - debian/patches/CVE-2019-3814-1.patch: do not import empty certificate
      username in src/auth/auth-request.c.
    - debian/patches/CVE-2019-3814-2.patch: fail authentication if
      certificate username was unexpectedly missing in
      src/auth/auth-request-handler.c.
    - debian/patches/CVE-2019-3814-3.patch: ensure we get username from
      certificate in src/login-common/sasl-server.c.
    - CVE-2019-3814

 -- Marc Deslauriers <email address hidden> Mon, 28 Jan 2019 08:53:15 -0500

Source diff to previous version
CVE-2019-3814 Suitable client certificate can be used to login as other user

Version: 1:2.2.22-1ubuntu2.7 2018-03-05 13:07:37 UTC

  dovecot (1:2.2.22-1ubuntu2.7) xenial-security; urgency=medium

  * SECURITY UPDATE: rfc822_parse_domain Information Leak Vulnerability
    - debian/patches/CVE-2017-14461/*.patch: upstream parsing fixes.
    - CVE-2017-14461
  * SECURITY UPDATE: TLS SNI config lookups DoS
    - debian/patches/CVE-2017-15130/*.patch: upstream config filtering fix.
    - CVE-2017-15130

 -- Marc Deslauriers <email address hidden> Tue, 27 Feb 2018 07:46:12 -0500

Source diff to previous version
CVE-2017-14461 A specially crafted email delivered over SMTP and passed on to Dovecot by MTA can trigger an out of bounds read resulting in potential sensitive info
CVE-2017-15130 A denial of service flaw was found in dovecot before 2.2.34. An attacker able to generate random SNI server names could exploit TLS SNI configuration

Version: 1:2.2.22-1ubuntu2.6 2018-02-01 21:06:42 UTC

  dovecot (1:2.2.22-1ubuntu2.6) xenial-security; urgency=medium

  * SECURITY UPDATE: Memory leak that can cause crash due to memory exhaustion
    - debian/patches/CVE-2017-15132.patch: fix memory leak in
      auth_client_request_abort() in src/lib-auth/auth-client-request.c.
    - debian/patches/CVE-2017-15132-additional.patch: remove request after
      abort in src/lib-auth/auth-client-request.c,
      src/lib-auth/auth-server-connection.c,
      src/lib-auth/auth-serser-connection.h.
    - CVE-2017-15132

 -- <email address hidden> (Leonidas S. Barbosa) Wed, 31 Jan 2018 12:58:33 -0300

Source diff to previous version
CVE-2017-15132 A flaw was found in dovecot 2.0 up to 2.2.33 and 2.3.0. An abort of SASL authentication results in a memory leak in dovecot's auth client used by log

Version: 1:2.2.22-1ubuntu2.4 2017-04-12 05:08:38 UTC
No changelog available yet.



About   -   Send Feedback to @ubuntu_updates