安全公告详情

NS-SA-2020-0105

2020-12-08 09:15:38

简介

moderate: dovecot/file security update

严重级别

moderate

主题

An update for dovecot/file is now available for NewStart CGSL MAIN 5.05/CGSL CORE 5.05.
NewStart Security has rated this update as having a security impact of moderate. A Common Vunlnerability Scoring System(CVSS)base score, which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.

详细描述

dovecot: Dovecot is an IMAP server for Linux/UNIX-like systems, written with security primarily in mind. It also contains a small POP3 server. It supports mail in either of maildir or mbox formats. The SQL drivers and authentication plug-ins are in their subpackages.
file: The file command is used to identify a particular file according to the type of data contained by the file. File can identify many different file types, including ELF binaries, system libraries, RPM packages, and different graphics formats.


Security Fix(es):
dovecot: In Dovecot before 2.2.36.3 and 2.3.x before 2.3.5.1, a local attacker can cause a buffer overflow in the indexer-worker process, which can be used to elevate to root. This occurs because of missing checks in the fts and pop3-uidl components.(CVE-2019-7524)
dovecot: It was discovered that Dovecot incorrectly handled client certificates. A remote attacker in possession of a valid certificate with an empty username field could possibly use this issue to impersonate other users.(CVE-2019-3814)
dovecot: bugfix
file: The do_core_note function in readelf.c in libmagic.a in file 5.33 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted ELF file.(CVE-2018-10360)
file: bugfix


Solution:
For details on how to apply this update, which includes the changes described in this advisory, refer to:
http://security.gd-linux.com/how_to_apply_patch.html
Remember the build tag is 5.05.F9B3.

影响组件

  • dovecot
  • file

影响产品

  • CGSL MAIN 5.05
  • CGSL CORE 5.05

更新包

{"fix":[{"product":"CGSL MAIN 5.05","pkgs":[{"binary":["dovecot-2.2.36-6.el7.x86_64.rpm","dovecot-debuginfo-2.2.36-6.el7.x86_64.rpm","dovecot-devel-2.2.36-6.el7.x86_64.rpm","dovecot-pgsql-2.2.36-6.el7.x86_64.rpm","dovecot-mysql-2.2.36-6.el7.x86_64.rpm","dovecot-pigeonhole-2.2.36-6.el7.x86_64.rpm"],"source":"dovecot-2.2.36-6.el7.src.rpm"},{"binary":["file-5.11-36.el7.x86_64.rpm","file-devel-5.11-36.el7.x86_64.rpm","file-libs-5.11-36.el7.x86_64.rpm","file-static-5.11-36.el7.x86_64.rpm","file-debuginfo-5.11-36.el7.x86_64.rpm","python-magic-5.11-36.el7.noarch.rpm"],"source":"file-5.11-36.el7.src.rpm"}]},{"product":"CGSL CORE 5.05","pkgs":[{"binary":["dovecot-2.2.36-6.el7.x86_64.rpm","dovecot-debuginfo-2.2.36-6.el7.x86_64.rpm","dovecot-devel-2.2.36-6.el7.x86_64.rpm","dovecot-mysql-2.2.36-6.el7.x86_64.rpm","dovecot-pgsql-2.2.36-6.el7.x86_64.rpm","dovecot-pigeonhole-2.2.36-6.el7.x86_64.rpm"],"source":"dovecot-2.2.36-6.el7.src.rpm"},{"binary":["file-5.11-36.el7.x86_64.rpm","file-debuginfo-5.11-36.el7.x86_64.rpm","file-devel-5.11-36.el7.x86_64.rpm","file-static-5.11-36.el7.x86_64.rpm","file-libs-5.11-36.el7.x86_64.rpm","python-magic-5.11-36.el7.noarch.rpm"],"source":"file-5.11-36.el7.src.rpm"}]}]}

CVE

参考