Lucene search
This script is Copyright (C) 2021-2024 and is owned by Tenable, Inc. or an Affiliate thereof.SUSE_SU-2021-0029-1.NASLHistoryJan 06, 2021 - 12:00 a.m.
SUSE SLES15 Security Update : dovecot23 (SUSE-SU-2021:0029-1)
2021-01-0600:00:00
This script is Copyright (C) 2021-2024 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
12
7.3 High
AI Score
Confidence
High
This update for dovecot23 fixes the following issues :
Security issues fixed :
CVE-2020-12100: Fixed a resource exhaustion caused by deeply nested MIME parts (bsc#1174920).
CVE-2020-24386: Fixed an issue with IMAP hibernation that allowed users to access other users’ emails (bsc#1180405).
CVE-2020-25275: Fixed a crash when the 10000th MIME part was message/rfc822 (bsc#1180406).
Non-security issues fixed :
Pigeonhole was updated to version 0.5.11.
Dovecot was updated to version 2.3.11.3.
Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from SUSE update advisory SUSE-SU-2021:0029-1.
# The text itself is copyright (C) SUSE.
#
include('compat.inc');
if (description)
{
script_id(144757);
script_version("1.4");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/01/30");
script_cve_id("CVE-2020-12100", "CVE-2020-24386", "CVE-2020-25275");
script_name(english:"SUSE SLES15 Security Update : dovecot23 (SUSE-SU-2021:0029-1)");
script_set_attribute(attribute:"synopsis", value:
"The remote SUSE host is missing one or more security updates.");
script_set_attribute(attribute:"description", value:
"This update for dovecot23 fixes the following issues :
Security issues fixed :
CVE-2020-12100: Fixed a resource exhaustion caused by deeply nested
MIME parts (bsc#1174920).
CVE-2020-24386: Fixed an issue with IMAP hibernation that allowed
users to access other users' emails (bsc#1180405).
CVE-2020-25275: Fixed a crash when the 10000th MIME part was
message/rfc822 (bsc#1180406).
Non-security issues fixed :
Pigeonhole was updated to version 0.5.11.
Dovecot was updated to version 2.3.11.3.
Note that Tenable Network Security has extracted the preceding
description block directly from the SUSE security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1174920");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1180405");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1180406");
script_set_attribute(attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2020-12100/");
script_set_attribute(attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2020-24386/");
script_set_attribute(attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2020-25275/");
# https://www.suse.com/support/update/announcement/2021/suse-su-20210029-1
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?6161cb91");
script_set_attribute(attribute:"solution", value:
"To install this SUSE Security Update use the SUSE recommended
installation methods like YaST online_update or 'zypper patch'.
Alternatively you can run the command listed for your product :
SUSE Linux Enterprise Server for SAP 15 :
zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2021-29=1
SUSE Linux Enterprise Server 15-LTSS :
zypper in -t patch SUSE-SLE-Product-SLES-15-2021-29=1
SUSE Linux Enterprise High Performance Computing 15-LTSS :
zypper in -t patch SUSE-SLE-Product-HPC-15-2021-29=1
SUSE Linux Enterprise High Performance Computing 15-ESPOS :
zypper in -t patch SUSE-SLE-Product-HPC-15-2021-29=1");
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:S/C:P/I:P/A:N");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-24386");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2020/08/12");
script_set_attribute(attribute:"patch_publication_date", value:"2021/01/05");
script_set_attribute(attribute:"plugin_publication_date", value:"2021/01/06");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:dovecot23");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:dovecot23-backend-mysql");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:dovecot23-backend-mysql-debuginfo");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:dovecot23-backend-pgsql");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:dovecot23-backend-pgsql-debuginfo");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:dovecot23-backend-sqlite");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:dovecot23-backend-sqlite-debuginfo");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:dovecot23-debuginfo");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:dovecot23-debugsource");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:dovecot23-devel");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:dovecot23-fts");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:dovecot23-fts-debuginfo");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:dovecot23-fts-lucene");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:dovecot23-fts-lucene-debuginfo");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:dovecot23-fts-solr");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:dovecot23-fts-solr-debuginfo");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:dovecot23-fts-squat");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:dovecot23-fts-squat-debuginfo");
script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:15");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"SuSE Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2021-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("rpm.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/SuSE/release");
if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE");
os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE");
os_ver = os_ver[1];
if (! preg(pattern:"^(SLES15)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLES15", "SUSE " + os_ver);
if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu);
if (cpu >!< "s390x") audit(AUDIT_ARCH_NOT, "s390x", cpu);
sp = get_kb_item("Host/SuSE/patchlevel");
if (isnull(sp)) sp = "0";
if (os_ver == "SLES15" && (! preg(pattern:"^(0)$", string:sp))) audit(AUDIT_OS_NOT, "SLES15 SP0", os_ver + " SP" + sp);
flag = 0;
if (rpm_check(release:"SLES15", sp:"0", cpu:"s390x", reference:"dovecot23-2.3.11.3-4.32.1")) flag++;
if (rpm_check(release:"SLES15", sp:"0", cpu:"s390x", reference:"dovecot23-backend-mysql-2.3.11.3-4.32.1")) flag++;
if (rpm_check(release:"SLES15", sp:"0", cpu:"s390x", reference:"dovecot23-backend-mysql-debuginfo-2.3.11.3-4.32.1")) flag++;
if (rpm_check(release:"SLES15", sp:"0", cpu:"s390x", reference:"dovecot23-backend-pgsql-2.3.11.3-4.32.1")) flag++;
if (rpm_check(release:"SLES15", sp:"0", cpu:"s390x", reference:"dovecot23-backend-pgsql-debuginfo-2.3.11.3-4.32.1")) flag++;
if (rpm_check(release:"SLES15", sp:"0", cpu:"s390x", reference:"dovecot23-backend-sqlite-2.3.11.3-4.32.1")) flag++;
if (rpm_check(release:"SLES15", sp:"0", cpu:"s390x", reference:"dovecot23-backend-sqlite-debuginfo-2.3.11.3-4.32.1")) flag++;
if (rpm_check(release:"SLES15", sp:"0", cpu:"s390x", reference:"dovecot23-debuginfo-2.3.11.3-4.32.1")) flag++;
if (rpm_check(release:"SLES15", sp:"0", cpu:"s390x", reference:"dovecot23-debugsource-2.3.11.3-4.32.1")) flag++;
if (rpm_check(release:"SLES15", sp:"0", cpu:"s390x", reference:"dovecot23-devel-2.3.11.3-4.32.1")) flag++;
if (rpm_check(release:"SLES15", sp:"0", cpu:"s390x", reference:"dovecot23-fts-2.3.11.3-4.32.1")) flag++;
if (rpm_check(release:"SLES15", sp:"0", cpu:"s390x", reference:"dovecot23-fts-debuginfo-2.3.11.3-4.32.1")) flag++;
if (rpm_check(release:"SLES15", sp:"0", cpu:"s390x", reference:"dovecot23-fts-lucene-2.3.11.3-4.32.1")) flag++;
if (rpm_check(release:"SLES15", sp:"0", cpu:"s390x", reference:"dovecot23-fts-lucene-debuginfo-2.3.11.3-4.32.1")) flag++;
if (rpm_check(release:"SLES15", sp:"0", cpu:"s390x", reference:"dovecot23-fts-solr-2.3.11.3-4.32.1")) flag++;
if (rpm_check(release:"SLES15", sp:"0", cpu:"s390x", reference:"dovecot23-fts-solr-debuginfo-2.3.11.3-4.32.1")) flag++;
if (rpm_check(release:"SLES15", sp:"0", cpu:"s390x", reference:"dovecot23-fts-squat-2.3.11.3-4.32.1")) flag++;
if (rpm_check(release:"SLES15", sp:"0", cpu:"s390x", reference:"dovecot23-fts-squat-debuginfo-2.3.11.3-4.32.1")) flag++;
if (flag)
{
if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
else security_warning(0);
exit(0);
}
else
{
tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, "dovecot23");
}
| Vendor | Product | Version | CPE |
|---|---|---|---|
| novell | suse_linux | dovecot23-fts-squat | p-cpe:/a:novell:suse_linux:dovecot23-fts-squat |
| novell | suse_linux | dovecot23-fts-squat-debuginfo | p-cpe:/a:novell:suse_linux:dovecot23-fts-squat-debuginfo |
| novell | suse_linux | 15 | cpe:/o:novell:suse_linux:15 |
| novell | suse_linux | dovecot23 | p-cpe:/a:novell:suse_linux:dovecot23 |
| novell | suse_linux | dovecot23-backend-mysql | p-cpe:/a:novell:suse_linux:dovecot23-backend-mysql |
| novell | suse_linux | dovecot23-backend-mysql-debuginfo | p-cpe:/a:novell:suse_linux:dovecot23-backend-mysql-debuginfo |
| novell | suse_linux | dovecot23-backend-pgsql | p-cpe:/a:novell:suse_linux:dovecot23-backend-pgsql |
| novell | suse_linux | dovecot23-backend-pgsql-debuginfo | p-cpe:/a:novell:suse_linux:dovecot23-backend-pgsql-debuginfo |
| novell | suse_linux | dovecot23-backend-sqlite | p-cpe:/a:novell:suse_linux:dovecot23-backend-sqlite |
| novell | suse_linux | dovecot23-backend-sqlite-debuginfo | p-cpe:/a:novell:suse_linux:dovecot23-backend-sqlite-debuginfo |
References
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12100
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24386
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25275
www.nessus.org/u?6161cb91
bugzilla.suse.com/show_bug.cgi?id=1174920
bugzilla.suse.com/show_bug.cgi?id=1180405
bugzilla.suse.com/show_bug.cgi?id=1180406
www.suse.com/security/cve/CVE-2020-12100/
www.suse.com/security/cve/CVE-2020-24386/
www.suse.com/security/cve/CVE-2020-25275/
Related
archlinux
archlinux
[ASA-202101-4] dovecot: multiple issues
2021-01-04 00:00:00
nessus
nessus
Debian DSA-4825-1 : dovecot - security update
2021-01-05 00:00:00
FreeBSD : mail/dovecot -- multiple vulnerabilities (bd98066d-4ea4-11eb-b412-e86a64caca56)
2021-01-11 00:00:00
SUSE SLES15 Security Update : dovecot23 (SUSE-SU-2021:0027-1)
2021-01-06 00:00:00
freebsd
freebsd
mail/dovecot -- multiple vulnerabilities
2020-08-17 00:00:00
mail/dovecot -- multiple vulnerabilities
2020-04-23 00:00:00
openvas
openvas
SUSE: Security Advisory (SUSE-SU-2021:0027-1)
2021-06-09 00:00:00
openSUSE: Security Advisory for dovecot23 (openSUSE-SU-2021:0072-1)
2021-04-16 00:00:00
openSUSE: Security Advisory for dovecot23 (openSUSE-SU-2021:0026-1)
2021-04-16 00:00:00
suse
suse
Security update for dovecot23 (important)
2021-01-16 00:00:00
Security update for dovecot23 (important)
2021-01-07 00:00:00
Security update for dovecot23 (moderate)
2021-09-04 00:00:00
debian
debian
[SECURITY] [DSA 4825-1] dovecot security update
2021-01-04 15:23:59
[SECURITY] [DSA 4825-1] dovecot security update
2021-01-04 15:23:59
[SECURITY] [DLA 2517-1] dovecot security update
2021-01-05 16:41:18
osv
osv
Moderate: dovecot security and bug fix update
2021-05-18 06:19:41
dovecot - security update
2021-01-05 00:00:00
dovecot - security update
2021-01-04 00:00:00
gentoo
gentoo
Dovecot: Multiple vulnerabilities
2021-01-10 00:00:00
Dovecot: Multiple vulnerabilities
2020-09-06 00:00:00
oraclelinux
oraclelinux
dovecot security and bug fix update
2021-05-25 00:00:00
dovecot security update
2020-09-11 00:00:00
dovecot security update
2020-09-03 00:00:00
ubuntu
ubuntu
Dovecot vulnerabilities
2021-01-04 00:00:00
Dovecot vulnerability
2021-01-04 00:00:00
Dovecot vulnerabilities
2020-08-17 00:00:00
cloudlinux
cloudlinux
Fix of CVE: CVE-2020-25275, CVE-2020-12100
2021-10-07 15:19:39
Fix of CVE: CVE-2020-25275, CVE-2020-12100
2021-10-18 16:15:45
zdt
zdt
Dovecot 2.3.11.3 Denial Of Service Vulnerability
2021-01-07 00:00:00
altlinux
altlinux
Security fix for the ALT Linux 9 package dovecot version 2.3.13-alt1
2021-01-18 00:00:00
Security fix for the ALT Linux 9 package dovecot version 2.3.11.3-alt1
2020-12-07 00:00:00
fedora
fedora
[SECURITY] Fedora 32 Update: dovecot-2.3.13-2.fc32
2021-01-20 01:27:57
[SECURITY] Fedora 31 Update: dovecot-2.3.11.3-4.fc31
2020-09-03 16:27:31
[SECURITY] Fedora 32 Update: dovecot-2.3.11.3-5.fc32
2020-10-13 20:35:04
redhat
redhat
(RHSA-2021:1887) Moderate: dovecot security and bug fix update
2021-05-18 06:19:41
(RHSA-2020:3713) Important: dovecot security update
2020-09-10 12:36:17
(RHSA-2020:3735) Important: dovecot security update
2020-09-14 12:27:13
almalinux
almalinux
Moderate: dovecot security and bug fix update
2021-05-18 06:19:41
mageia
mageia
Updated dovecot packages fix security vulnerabilities
2021-01-08 16:59:29
Updated dovecot packages fix security vulnerability
2020-08-18 20:41:27
alpinelinux
alpinelinux
debiancve
debiancve
redhatcve
redhatcve
prion
prion
Input validation
2021-01-04 17:15:00
Path traversal
2021-01-04 17:15:00
Design/Logic Flaw
2020-08-12 16:15:00
ubuntucve
ubuntucve
cve
cve
veracode
veracode
Denial Of Service (DoS)
2021-01-15 16:41:13
Denial Of Service (DoS)
2020-08-18 08:22:29
Information Disclosure
2021-01-15 16:21:17
hackerone
hackerone
centos
centos
dovecot security update
2020-09-14 14:40:04
amazon
amazon
Important: dovecot
2020-10-26 17:59:00
Important: dovecot
2020-09-15 17:18:00