dovecot24-2.4.0-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2025:15777 Final 1 1 2025-01-30T00:00:00Z current 2025-01-30T00:00:00Z 2025-01-30T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z dovecot24-2.4.0-1.1 on GA media These are all security issues fixed in the dovecot24-2.4.0-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2025-15777 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2017-14461/ SUSE CVE CVE-2017-14461 page https://www.suse.com/security/cve/CVE-2017-15130/ SUSE CVE CVE-2017-15130 page https://www.suse.com/security/cve/CVE-2017-15132/ SUSE CVE CVE-2017-15132 page https://www.suse.com/security/cve/CVE-2019-10691/ SUSE CVE CVE-2019-10691 page https://www.suse.com/security/cve/CVE-2019-11494/ SUSE CVE CVE-2019-11494 page https://www.suse.com/security/cve/CVE-2019-11499/ SUSE CVE CVE-2019-11499 page https://www.suse.com/security/cve/CVE-2019-11500/ SUSE CVE CVE-2019-11500 page https://www.suse.com/security/cve/CVE-2019-19722/ SUSE CVE CVE-2019-19722 page https://www.suse.com/security/cve/CVE-2019-3814/ SUSE CVE CVE-2019-3814 page https://www.suse.com/security/cve/CVE-2019-7524/ SUSE CVE CVE-2019-7524 page https://www.suse.com/security/cve/CVE-2020-10957/ SUSE CVE CVE-2020-10957 page https://www.suse.com/security/cve/CVE-2020-10958/ SUSE CVE CVE-2020-10958 page https://www.suse.com/security/cve/CVE-2020-10967/ SUSE CVE CVE-2020-10967 page https://www.suse.com/security/cve/CVE-2020-12100/ SUSE CVE CVE-2020-12100 page https://www.suse.com/security/cve/CVE-2020-12673/ SUSE CVE CVE-2020-12673 page https://www.suse.com/security/cve/CVE-2020-12674/ SUSE CVE CVE-2020-12674 page https://www.suse.com/security/cve/CVE-2020-24386/ SUSE CVE CVE-2020-24386 page https://www.suse.com/security/cve/CVE-2020-28200/ SUSE CVE CVE-2020-28200 page https://www.suse.com/security/cve/CVE-2020-7046/ SUSE CVE CVE-2020-7046 page https://www.suse.com/security/cve/CVE-2020-7957/ SUSE CVE CVE-2020-7957 page https://www.suse.com/security/cve/CVE-2021-29157/ SUSE CVE CVE-2021-29157 page https://www.suse.com/security/cve/CVE-2021-33515/ SUSE CVE CVE-2021-33515 page https://www.suse.com/security/cve/CVE-2024-23184/ SUSE CVE CVE-2024-23184 page https://www.suse.com/security/cve/CVE-2024-23185/ SUSE CVE CVE-2024-23185 page openSUSE Tumbleweed dovecot24-2.4.0-1.1 dovecot24-backend-mysql-2.4.0-1.1 dovecot24-backend-pgsql-2.4.0-1.1 dovecot24-backend-sqlite-2.4.0-1.1 dovecot24-devel-2.4.0-1.1 dovecot24-fts-2.4.0-1.1 dovecot24-fts-flatcurve-2.4.0-1.1 dovecot24-fts-solr-2.4.0-1.1 dovecot24-2.4.0-1.1 as a component of openSUSE Tumbleweed dovecot24-backend-mysql-2.4.0-1.1 as a component of openSUSE Tumbleweed dovecot24-backend-pgsql-2.4.0-1.1 as a component of openSUSE Tumbleweed dovecot24-backend-sqlite-2.4.0-1.1 as a component of openSUSE Tumbleweed dovecot24-devel-2.4.0-1.1 as a component of openSUSE Tumbleweed dovecot24-fts-2.4.0-1.1 as a component of openSUSE Tumbleweed dovecot24-fts-flatcurve-2.4.0-1.1 as a component of openSUSE Tumbleweed dovecot24-fts-solr-2.4.0-1.1 as a component of openSUSE Tumbleweed A specially crafted email delivered over SMTP and passed on to Dovecot by MTA can trigger an out of bounds read resulting in potential sensitive information disclosure and denial of service. In order to trigger this vulnerability, an attacker needs to send a specially crafted email message to the server. CVE-2017-14461 openSUSE Tumbleweed:dovecot24-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-backend-mysql-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-backend-pgsql-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-backend-sqlite-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-devel-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-fts-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-fts-flatcurve-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-fts-solr-2.4.0-1.1 moderate 5.5 AV:N/AC:L/Au:S/C:P/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-14461.html CVE-2017-14461 https://bugzilla.suse.com/1082826 SUSE Bug 1082826 A denial of service flaw was found in dovecot before 2.2.34. An attacker able to generate random SNI server names could exploit TLS SNI configuration lookups, leading to excessive memory usage and the process to restart. CVE-2017-15130 openSUSE Tumbleweed:dovecot24-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-backend-mysql-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-backend-pgsql-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-backend-sqlite-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-devel-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-fts-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-fts-flatcurve-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-fts-solr-2.4.0-1.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-15130.html CVE-2017-15130 https://bugzilla.suse.com/1082828 SUSE Bug 1082828 A flaw was found in dovecot 2.0 up to 2.2.33 and 2.3.0. An abort of SASL authentication results in a memory leak in dovecot's auth client used by login processes. The leak has impact in high performance configuration where same login processes are reused and can cause the process to crash due to memory exhaustion. CVE-2017-15132 openSUSE Tumbleweed:dovecot24-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-backend-mysql-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-backend-pgsql-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-backend-sqlite-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-devel-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-fts-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-fts-flatcurve-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-fts-solr-2.4.0-1.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-15132.html CVE-2017-15132 https://bugzilla.suse.com/1075608 SUSE Bug 1075608 The JSON encoder in Dovecot before 2.3.5.2 allows attackers to repeatedly crash the authentication service by attempting to authenticate with an invalid UTF-8 sequence as the username. CVE-2019-10691 openSUSE Tumbleweed:dovecot24-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-backend-mysql-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-backend-pgsql-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-backend-sqlite-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-devel-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-fts-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-fts-flatcurve-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-fts-solr-2.4.0-1.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-10691.html CVE-2019-10691 https://bugzilla.suse.com/1132501 SUSE Bug 1132501 In the IMAP Server in Dovecot 2.3.3 through 2.3.5.2, the submission-login service crashes when the client disconnects prematurely during the AUTH command. CVE-2019-11494 openSUSE Tumbleweed:dovecot24-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-backend-mysql-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-backend-pgsql-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-backend-sqlite-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-devel-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-fts-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-fts-flatcurve-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-fts-solr-2.4.0-1.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-11494.html CVE-2019-11494 https://bugzilla.suse.com/1133624 SUSE Bug 1133624 https://bugzilla.suse.com/1133625 SUSE Bug 1133625 In the IMAP Server in Dovecot 2.3.3 through 2.3.5.2, the submission-login component crashes if AUTH PLAIN is attempted over a TLS secured channel with an unacceptable authentication message. CVE-2019-11499 openSUSE Tumbleweed:dovecot24-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-backend-mysql-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-backend-pgsql-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-backend-sqlite-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-devel-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-fts-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-fts-flatcurve-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-fts-solr-2.4.0-1.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-11499.html CVE-2019-11499 https://bugzilla.suse.com/1133624 SUSE Bug 1133624 https://bugzilla.suse.com/1133625 SUSE Bug 1133625 In Dovecot before 2.2.36.4 and 2.3.x before 2.3.7.2 (and Pigeonhole before 0.5.7.2), protocol processing can fail for quoted strings. This occurs because '\0' characters are mishandled, and can lead to out-of-bounds writes and remote code execution. CVE-2019-11500 openSUSE Tumbleweed:dovecot24-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-backend-mysql-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-backend-pgsql-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-backend-sqlite-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-devel-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-fts-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-fts-flatcurve-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-fts-solr-2.4.0-1.1 moderate 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-11500.html CVE-2019-11500 https://bugzilla.suse.com/1145559 SUSE Bug 1145559 In Dovecot before 2.3.9.2, an attacker can crash a push-notification driver with a crafted email when push notifications are used, because of a NULL Pointer Dereference. The email must use a group address as either the sender or the recipient. CVE-2019-19722 openSUSE Tumbleweed:dovecot24-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-backend-mysql-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-backend-pgsql-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-backend-sqlite-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-devel-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-fts-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-fts-flatcurve-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-fts-solr-2.4.0-1.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-19722.html CVE-2019-19722 https://bugzilla.suse.com/1159090 SUSE Bug 1159090 It was discovered that Dovecot before versions 2.2.36.1 and 2.3.4.1 incorrectly handled client certificates. A remote attacker in possession of a valid certificate with an empty username field could possibly use this issue to impersonate other users. CVE-2019-3814 openSUSE Tumbleweed:dovecot24-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-backend-mysql-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-backend-pgsql-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-backend-sqlite-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-devel-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-fts-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-fts-flatcurve-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-fts-solr-2.4.0-1.1 moderate 4.9 AV:N/AC:M/Au:S/C:P/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-3814.html CVE-2019-3814 https://bugzilla.suse.com/1123022 SUSE Bug 1123022 In Dovecot before 2.2.36.3 and 2.3.x before 2.3.5.1, a local attacker can cause a buffer overflow in the indexer-worker process, which can be used to elevate to root. This occurs because of missing checks in the fts and pop3-uidl components. CVE-2019-7524 openSUSE Tumbleweed:dovecot24-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-backend-mysql-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-backend-pgsql-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-backend-sqlite-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-devel-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-fts-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-fts-flatcurve-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-fts-solr-2.4.0-1.1 moderate 7.2 AV:L/AC:L/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-7524.html CVE-2019-7524 https://bugzilla.suse.com/1130116 SUSE Bug 1130116 In Dovecot before 2.3.10.1, unauthenticated sending of malformed parameters to a NOOP command causes a NULL Pointer Dereference and crash in submission-login, submission, or lmtp. CVE-2020-10957 openSUSE Tumbleweed:dovecot24-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-backend-mysql-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-backend-pgsql-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-backend-sqlite-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-devel-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-fts-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-fts-flatcurve-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-fts-solr-2.4.0-1.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-10957.html CVE-2020-10957 https://bugzilla.suse.com/1171457 SUSE Bug 1171457 In Dovecot before 2.3.10.1, a crafted SMTP/LMTP message triggers an unauthenticated use-after-free bug in submission-login, submission, or lmtp, and can lead to a crash under circumstances involving many newlines after a command. CVE-2020-10958 openSUSE Tumbleweed:dovecot24-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-backend-mysql-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-backend-pgsql-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-backend-sqlite-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-devel-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-fts-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-fts-flatcurve-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-fts-solr-2.4.0-1.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-10958.html CVE-2020-10958 https://bugzilla.suse.com/1171458 SUSE Bug 1171458 In Dovecot before 2.3.10.1, remote unauthenticated attackers can crash the lmtp or submission process by sending mail with an empty localpart. CVE-2020-10967 openSUSE Tumbleweed:dovecot24-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-backend-mysql-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-backend-pgsql-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-backend-sqlite-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-devel-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-fts-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-fts-flatcurve-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-fts-solr-2.4.0-1.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-10967.html CVE-2020-10967 https://bugzilla.suse.com/1171456 SUSE Bug 1171456 In Dovecot before 2.3.11.3, uncontrolled recursion in submission, lmtp, and lda allows remote attackers to cause a denial of service (resource consumption) via a crafted e-mail message with deeply nested MIME parts. CVE-2020-12100 openSUSE Tumbleweed:dovecot24-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-backend-mysql-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-backend-pgsql-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-backend-sqlite-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-devel-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-fts-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-fts-flatcurve-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-fts-solr-2.4.0-1.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-12100.html CVE-2020-12100 https://bugzilla.suse.com/1174920 SUSE Bug 1174920 https://bugzilla.suse.com/1180406 SUSE Bug 1180406 In Dovecot before 2.3.11.3, sending a specially formatted NTLM request will crash the auth service because of an out-of-bounds read. CVE-2020-12673 openSUSE Tumbleweed:dovecot24-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-backend-mysql-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-backend-pgsql-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-backend-sqlite-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-devel-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-fts-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-fts-flatcurve-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-fts-solr-2.4.0-1.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-12673.html CVE-2020-12673 https://bugzilla.suse.com/1174920 SUSE Bug 1174920 https://bugzilla.suse.com/1174922 SUSE Bug 1174922 In Dovecot before 2.3.11.3, sending a specially formatted RPA request will crash the auth service because a length of zero is mishandled. CVE-2020-12674 openSUSE Tumbleweed:dovecot24-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-backend-mysql-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-backend-pgsql-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-backend-sqlite-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-devel-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-fts-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-fts-flatcurve-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-fts-solr-2.4.0-1.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-12674.html CVE-2020-12674 https://bugzilla.suse.com/1174920 SUSE Bug 1174920 https://bugzilla.suse.com/1174923 SUSE Bug 1174923 An issue was discovered in Dovecot before 2.3.13. By using IMAP IDLE, an authenticated attacker can trigger unhibernation via attacker-controlled parameters, leading to access to other users' email messages (and path disclosure). CVE-2020-24386 openSUSE Tumbleweed:dovecot24-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-backend-mysql-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-backend-pgsql-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-backend-sqlite-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-devel-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-fts-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-fts-flatcurve-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-fts-solr-2.4.0-1.1 moderate 4.9 AV:N/AC:M/Au:S/C:P/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-24386.html CVE-2020-24386 https://bugzilla.suse.com/1180405 SUSE Bug 1180405 The Sieve engine in Dovecot before 2.3.15 allows Uncontrolled Resource Consumption, as demonstrated by a situation with a complex regular expression for the regex extension. CVE-2020-28200 openSUSE Tumbleweed:dovecot24-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-backend-mysql-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-backend-pgsql-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-backend-sqlite-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-devel-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-fts-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-fts-flatcurve-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-fts-solr-2.4.0-1.1 moderate 4 AV:N/AC:L/Au:S/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-28200.html CVE-2020-28200 https://bugzilla.suse.com/1187420 SUSE Bug 1187420 lib-smtp in submission-login and lmtp in Dovecot 2.3.9 before 2.3.9.3 mishandles truncated UTF-8 data in command parameters, as demonstrated by the unauthenticated triggering of a submission-login infinite loop. CVE-2020-7046 openSUSE Tumbleweed:dovecot24-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-backend-mysql-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-backend-pgsql-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-backend-sqlite-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-devel-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-fts-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-fts-flatcurve-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-fts-solr-2.4.0-1.1 moderate 7.8 AV:N/AC:L/Au:N/C:N/I:N/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-7046.html CVE-2020-7046 https://bugzilla.suse.com/1162773 SUSE Bug 1162773 The IMAP and LMTP components in Dovecot 2.3.9 before 2.3.9.3 mishandle snippet generation when many characters must be read to compute the snippet and a trailing > character exists. This causes a denial of service in which the recipient cannot read all of their messages. CVE-2020-7957 openSUSE Tumbleweed:dovecot24-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-backend-mysql-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-backend-pgsql-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-backend-sqlite-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-devel-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-fts-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-fts-flatcurve-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-fts-solr-2.4.0-1.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-7957.html CVE-2020-7957 https://bugzilla.suse.com/1162773 SUSE Bug 1162773 Dovecot before 2.3.15 allows ../ Path Traversal. An attacker with access to the local filesystem can trick OAuth2 authentication into using an HS256 validation key from an attacker-controlled location. This occurs during use of local JWT validation with the posix fs driver. CVE-2021-29157 openSUSE Tumbleweed:dovecot24-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-backend-mysql-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-backend-pgsql-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-backend-sqlite-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-devel-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-fts-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-fts-flatcurve-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-fts-solr-2.4.0-1.1 moderate 2.1 AV:L/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-29157.html CVE-2021-29157 https://bugzilla.suse.com/1187418 SUSE Bug 1187418 The submission service in Dovecot before 2.3.15 allows STARTTLS command injection in lib-smtp. Sensitive information can be redirected to an attacker-controlled address. CVE-2021-33515 openSUSE Tumbleweed:dovecot24-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-backend-mysql-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-backend-pgsql-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-backend-sqlite-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-devel-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-fts-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-fts-flatcurve-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-fts-solr-2.4.0-1.1 moderate 5.8 AV:N/AC:M/Au:N/C:P/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-33515.html CVE-2021-33515 https://bugzilla.suse.com/1187419 SUSE Bug 1187419 Having a large number of address headers (From, To, Cc, Bcc, etc.) becomes excessively CPU intensive. With 100k header lines CPU usage is already 12 seconds, and in a production environment we observed 500k header lines taking 18 minutes to parse. Since this can be triggered by external actors sending emails to a victim, this is a security issue. An external attacker can send specially crafted messages that consume target system resources and cause outage. One can implement restrictions on address headers on MTA component preceding Dovecot. No publicly available exploits are known. CVE-2024-23184 openSUSE Tumbleweed:dovecot24-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-backend-mysql-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-backend-pgsql-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-backend-sqlite-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-devel-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-fts-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-fts-flatcurve-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-fts-solr-2.4.0-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2024-23184.html CVE-2024-23184 https://bugzilla.suse.com/1229184 SUSE Bug 1229184 Very large headers can cause resource exhaustion when parsing message. The message-parser normally reads reasonably sized chunks of the message. However, when it feeds them to message-header-parser, it starts building up "full_value" buffer out of the smaller chunks. The full_value buffer has no size limit, so large headers can cause large memory usage. It doesn't matter whether it's a single long header line, or a single header split into multiple lines. This bug exists in all Dovecot versions. Incoming mails typically have some size limits set by MTA, so even largest possible header size may still fit into Dovecot's vsz_limit. So attackers probably can't DoS a victim user this way. A user could APPEND larger mails though, allowing them to DoS themselves (although maybe cause some memory issues for the backend in general). One can implement restrictions on headers on MTA component preceding Dovecot. No publicly available exploits are known. CVE-2024-23185 openSUSE Tumbleweed:dovecot24-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-backend-mysql-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-backend-pgsql-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-backend-sqlite-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-devel-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-fts-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-fts-flatcurve-2.4.0-1.1 openSUSE Tumbleweed:dovecot24-fts-solr-2.4.0-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2024-23185.html CVE-2024-23185 https://bugzilla.suse.com/1229183 SUSE Bug 1229183