安全公告详情

NS-SA-2021-0077

2021-03-09 14:30:32

简介

moderate: SDL/dovecot security update

严重级别

moderate

主题

An update for SDL/dovecot is now available for NewStart CGSL MAIN 6.02.
NewStart Security has rated this update as having a security impact of moderate. A Common Vunlnerability Scoring System(CVSS)base score, which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.

详细描述

SDL: This package provides debug sources for package SDL. Debug sources are useful when developing applications that use this package or when debugging this package.
dovecot: This package provides sieve and managesieve plug-in for dovecot LDA.


Security Fix(es):
SDL: (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a heap-based buffer over-read in IMA_ADPCM_decode in audio/SDL_wave.c.(CVE-2019-7574)
SDL: (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a buffer over-read in SDL_LoadWAV_RW in audio/SDL_wave.c.(CVE-2019-7577)
SDL: (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a heap-based buffer over-read in InitIMA_ADPCM in audio/SDL_wave.c.(CVE-2019-7578)
SDL: (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a heap-based buffer over-read in Map1toN in video/SDL_pixels.c.(CVE-2019-7638)
SDL: (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a heap-based buffer over-read in SDL_GetRGB in video/SDL_pixels.c.(CVE-2019-7636)
SDL: (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a heap-based buffer over-read in Blit1to4 in video/SDL_blit_1.c.(CVE-2019-7635)
SDL: (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a heap-based buffer overflow in SDL_FillRect in video/SDL_surface.c.(CVE-2019-7637)
SDL: (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a heap-based buffer overflow in MS_ADPCM_decode in audio/SDL_wave.c.(CVE-2019-7575)
SDL: (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a heap-based buffer over-read in InitMS_ADPCM in audio/SDL_wave.c (inside the wNumCoef loop).(CVE-2019-7573)
SDL: (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a buffer over-read in IMA_ADPCM_nibble in audio/SDL_wave.c.(CVE-2019-7572)
SDL: (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a heap-based buffer over-read in InitMS_ADPCM in audio/SDL_wave.c (outside the wNumCoef loop).(CVE-2019-7576)
SDL: bugfix
dovecot: In Dovecot before 2.3.10.1, a crafted SMTP/LMTP message triggers an unauthenticated use-after-free bug in submission-login, submission, or lmtp, and can lead to a crash under circumstances involving many newlines after a command.(CVE-2020-10958)
dovecot: In Dovecot before 2.3.10.1, remote unauthenticated attackers can crash the lmtp or submission process by sending mail with an empty localpart.(CVE-2020-10967)
dovecot: bugfix


Solution:
For details on how to apply this update, which includes the changes described in this advisory, refer to:
http://security.gd-linux.com/how_to_apply_patch.html
Remember the build tag is 6.02.50B5.

影响组件

  • SDL
  • dovecot

影响产品

  • CGSL MAIN 6.02

更新包

{"fix":[{"product":"CGSL MAIN 6.02","pkgs":[{"binary":["SDL-debuginfo-1.2.15-38.el8.x86_64.rpm","SDL-static-1.2.15-38.el8.x86_64.rpm","SDL-debugsource-1.2.15-38.el8.x86_64.rpm","SDL-devel-1.2.15-38.el8.x86_64.rpm","SDL-1.2.15-38.el8.x86_64.rpm"],"source":"SDL-1.2.15-38.el8.src.rpm"},{"binary":["dovecot-pigeonhole-debuginfo-2.3.8-4.el8.x86_64.rpm","dovecot-mysql-debuginfo-2.3.8-4.el8.x86_64.rpm","dovecot-debuginfo-2.3.8-4.el8.x86_64.rpm","dovecot-debugsource-2.3.8-4.el8.x86_64.rpm","dovecot-pgsql-debuginfo-2.3.8-4.el8.x86_64.rpm","dovecot-devel-2.3.8-4.el8.x86_64.rpm","dovecot-pigeonhole-2.3.8-4.el8.x86_64.rpm","dovecot-2.3.8-4.el8.x86_64.rpm","dovecot-pgsql-2.3.8-4.el8.x86_64.rpm","dovecot-mysql-2.3.8-4.el8.x86_64.rpm"],"source":"dovecot-2.3.8-4.el8.src.rpm"}]}]}

CVE

参考