You are here
Home > Preporuke > Sigurnosni nedostaci programskog paketa dovecot

Sigurnosni nedostaci programskog paketa dovecot

  • Detalji os-a: WN7
  • Važnost: IMP
  • Operativni sustavi: L
  • Kategorije: LFE

Fedora Update Notification
2020-05-28 01:59:14.571867

Name : dovecot
Product : Fedora 31
Version :
Release : 1.fc31
Summary : Secure imap and pop3 server
Description :
Dovecot is an IMAP server for Linux/UNIX-like systems, written with security
primarily in mind. It also contains a small POP3 server. It supports mail
in either of maildir or mbox formats.

The SQL drivers and authentication plug-ins are in their subpackages.

Update Information:

– CVE-2020-10957: lmtp/submission: A client can crash the server by sending a
NOOP command with an invalid string parameter. This occurs particularly for a
parameter that doesn’t start with a double quote. This applies to all SMTP
services, including submission-login, which makes it possible to crash the
submission service without authentication. – CVE-2020-10958: lmtp/submission:
Sending many invalid or unknown commands can cause the server to access freed
memory, which can lead to a server crash. This happens when the server closes
the connection with a “421 Too many invalid commands” error. The bad command
limit depends on the service (lmtp or submission) and varies between 10 to
20 bad commands. – CVE-2020-10967: lmtp/submission: Issuing the RCPT command
with an address that has the empty quoted string as local-part causes the
lmtp service to crash.

* Mon May 18 2020 Michal Hlavinka <> – 1:
– dovecot updated to
– fixes CVE-2020-10967, CVE-2020-10958, CVE-2020-10957

[ 1 ] Bug #1834317 – CVE-2020-10957 dovecot: malformed NOOP commands leads to DoS
[ 2 ] Bug #1834323 – CVE-2020-10958 dovecot: command followed by sufficient number of newlines leads to use-after-free
[ 3 ] Bug #1834326 – CVE-2020-10967 dovecot: sending mail with empty quoted localpart leads to DoS

This update can be installed with the “dnf” update program. Use
su -c ‘dnf upgrade –advisory FEDORA-2020-b60344c987’ at the command
line. For more information, refer to the dnf documentation available at

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
package-announce mailing list —
To unsubscribe send an email to
Fedora Code of Conduct:
List Guidelines:
List Archives:

AutorVlatka Misic
Cert idNCERT-REF-2020-05-0001-ADV
More in Preporuke
Sigurnosni nedostatak programskog paketa php

Otkriven je sigurnosni nedostatak u programskim paketima php5, php7.0, php7.2, php7.3 i php7.4 za operacijski sustav Ubuntu. Otkriveni nedostatak potencijalnim...