Hi Noah, On Fri, Jul 02, 2021 at 10:41:12AM +0200, Moritz Mühlenhoff wrote: > Source: dovecot > X-Debbugs-CC: t...@security.debian.org > Severity: grave > Tags: security > > Hi, > > The following vulnerabilities were published for dovecot. > > CVE-2021-33515[0]: > | The submission service in Dovecot before 2.3.15 allows STARTTLS > | command injection in lib-smtp. Sensitive information can be redirected > | to an attacker-controlled address. > > https://dovecot.org/pipermail/dovecot-news/2021-June/000462.html > https://www.openwall.com/lists/oss-security/2021/06/28/2 > > > CVE-2021-29157[1]: > | Dovecot before 2.3.15 allows ../ Path Traversal. An attacker with > | access to the local filesystem can trick OAuth2 authentication into > | using an HS256 validation key from an attacker-controlled location. > | This occurs during use of local JWT validation with the posix fs > | driver. > > https://dovecot.org/pipermail/dovecot-news/2021-June/000461.html > https://www.openwall.com/lists/oss-security/2021/06/28/1 > > > CVE-2020-28200[2]: > | The Sieve engine in Dovecot before 2.3.15 allows Uncontrolled Resource > | Consumption, as demonstrated by a situation with a complex regular > | expression for the regex extension. > > https://dovecot.org/pipermail/dovecot-news/2021-June/000460.html > https://www.openwall.com/lists/oss-security/2021/06/28/3 > > > If you fix the vulnerabilities please also make sure to include the > CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2021-33515 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33515 > [1] https://security-tracker.debian.org/tracker/CVE-2021-29157 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29157 > [2] https://security-tracker.debian.org/tracker/CVE-2020-28200 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28200 > > Please adjust the affected versions in the BTS as needed.
Do you have a chance to try to get this yet in time for bullseye? Do you have time for it (I do agree the time is now very tight). Regards, Salvatore