moderate: krb5/dovecot security update
moderate
An update for krb5/dovecot is now available for NewStart CGSL MAIN 6.02.
NewStart Security has rated this update as having a security impact of moderate. A Common Vunlnerability Scoring System(CVSS)base score, which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.
krb5: This package provides debug information for package krb5-devel. Debug information is useful when developing applications that use this package or when debugging this package.
dovecot: This package provides debug information for package dovecot-pigeonhole. Debug information is useful when developing applications that use this package or when debugging this package.
Security Fix(es):
krb5: A flaw was found in krb5. MIT Kerberos 5 allows unbounded recursion via an ASN.1-encoded Kerberos message because the lib/krb5/asn.1/asn1_encode.c support for BER indefinite lengths lacks a recursion limit.(CVE-2020-28196)
krb5: bugfix
dovecot: An issue was discovered in Dovecot before 2.3.13. By using IMAP IDLE, an authenticated attacker can trigger unhibernation via attacker-controlled parameters, leading to access to other users' email messages (and path disclosure).(CVE-2020-24386)
dovecot: Dovecot before 2.3.13 has Improper Input Validation in lda, lmtp, and imap, leading to an application crash via a crafted email message with certain choices for ten thousand MIME parts.(CVE-2020-25275)
dovecot: bugfix
Solution:
For details on how to apply this update, which includes the changes described in this advisory, refer to:
http://security.gd-linux.com/how_to_apply_patch.html
Remember the build tag is 6.02.80B5.