New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Mailu affected by dovecot CVE-2020-25275, CVE-2020-24386, CVE-2020-12100 #1720
Comments
in 1.7 is still 2.3.10.1. I hope there will be an update soon. Are you running 1.8 or master? |
According to this: https://repology.org/project/dovecot/versions |
Voting for a fix in 1.8, which is running on alpine 3.12 afaik! |
I created an issue in the alpine bug tracker: https://gitlab.alpinelinux.org/alpine/aports/-/issues/12286 |
Thanks micw, that was a good idea. I could build the container with 'alpine:edge' for version 1.7, but that doesn't mean it will work. I do not want to lose email, so I keep waiting for an official fix from the mailu developers. |
Ok, I jumped the line and tried it out:
then, I have build with (git branch master) This worked, I can still receive email and my dovecot version is now: If you follow this, please do not forget to revert to official images as soon as the version has been upgraded. |
I can confirm that upgrading to alpine:edge works well. Thanks @peter-englmaier! It bugs me quite a bit that alpine is keeping the issue internal even though the CVE is well known. |
It bugs me too. I created an issue since I did not find any and it got closed because there's already a hidden one... I've seen that alpine 3.13 was recently released - does this contain a patched version of dovecot? |
Hmm, there is neither a cloud image nor a docker image for 3.13 availible. The mirrors have the files and seems to be up to date: |
Good finding. I tried to quick-check it but did not find anything (packages are not even listed in https://pkgs.alpinelinux.org/packages?name=&branch=v3.13) So maybe we wait till tomorrow ^^ Does anyone have the time to test 1.7 with alpine 3.13? I can test 1.8 on my own server. |
I'll do that this late evening (CET Timezone). Do you want it for all the images or just the postfix one? |
I already "tested" edge with 1.7 and it worked for me. I have, however, no idea what to test really. All I did is: build docker image using master branch, check version of dovecot inside, and integrate it in my 1.7 setup. I am using mailu only for some tiny mail domains of my own. Not much traffic, but it keeps coming. @foosinn: we need only the dovecot image rebuild on the 1.7 branch with the new alpine base image. But there are errors when building the image (at least with alpine:edge). It cleanly builds only with the master branch. Mailu/1.7 must work with every possible setup and is currently the official latest version while 1.8 is preview. |
AFAIK 1.8 is the current stable |
The last news I remember stated it is not. And the documentation says:
It would be best to have 1.7 fixed (most users I think are still on 1.7). |
I'm about to create a patched dovecot package for alpine 3.10. Who could create a 1.7 docker from it and try if it properly works? |
It turned out that there's another security issue, CVE-2020-12100. While I was able to modify the (small) patches for the initial two CVEs to work with the dovecot version in alpine 3.10, I failed with the (quite large) patch for CVE-2020-12100. |
1730: Use alpine 3.13 to fix CVE-2020-25275 and CVE-2020-24386 r=mergify[bot] a=micw ## What type of PR? bug-fix ## What does this PR do? Upgrade dovecot alpine to 3.13 to fix CVEs in dovecot ### Related issue(s) - #1720 ## Prerequistes Before we can consider review and merge, please make sure the following list is done and checked. If an entry in not applicable, you can check it or remove it from the list. - [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file. Co-authored-by: Michael Wyraz <michael@wyraz.de>
1732: Use alpine 3.13 to fix CVE-2020-25275 and CVE-2020-24386 r=mergify[bot] a=micw ## What type of PR? bug-fix for 1.7 branch ## What does this PR do? Upgrade dovecot alpine to 3.13 to fix CVEs in dovecot ### Related issue(s) - #1720 ## Prerequistes Before we can consider review and merge, please make sure the following list is done and checked. If an entry in not applicable, you can check it or remove it from the list. - [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file. Co-authored-by: Michael Wyraz <michael@wyraz.de>
Sorry for the late reply from the team on this pressing issue — and biiig big thanks to @micw for taking this on! In the same sense thanks to everyone who participated here and discussed and prototyped solutions. Kudos to @micw s work, we now have a merged master update to the just-released
Unless there are some arguments against using A github security advisory is going to be published once the pullrequests (or alternatives) are merged. Thanks everyone for your collaboration! |
I’m going ahead and close this issue, the PRs for the fixes are referenced, new images uploaded to dockerhub, and a github security advisory including a few quick update notes is published here: Thanks to everyone! |
(bit late but ...) confirmation for kubernetes, everything works fine in my setup with version2.3.13 . Thanks all :) |
Same here, version 1.7 works fine. |
CVE-2020-25275
Dovecot before 2.3.13 has Improper Input Validation in lda, lmtp, and imap, leading to an application crash via a crafted email message with certain choices for ten thousand MIME parts.
CVE-2020-24386
An issue was discovered in Dovecot before 2.3.13. By using IMAP IDLE, an authenticated attacker can trigger unhibernation via attacker-controlled parameters, leading to access to other users' email messages (and path disclosure).
by checking the dovecot-version in mailu imap container (master-tag) i get version 2.3.11.3 , so i'm not sure if that fix has been backported or not.
The text was updated successfully, but these errors were encountered: