[PSA] Dovecot Security Vulnerability


#1

Short version of the story: upgrade Dovecot (sudo apt-get update; sudo apt-get upgrade dovecot-core).

I am on the Ubuntu security mailing list, where the email people all the security vulnerabilities. There’s apparently a way to mess with POP3/FTS headers with Dovecot to escalate to root privileges and execute arbitrary code. But “[o]nly installations using the FTS or pop3 migration plugins are affected.” Not sure if MIAB uses any POP3 migration plugins though.

I thought I would share this interesting information with you guys. I don’t know too much about this stuff, so it could just me talking out of ignorance. But I thought I could also mention while I am at it, Canonical is going to no longer support Ubuntu LTS 14.04 starting 30 April 2019. Security vulnerabilities get missed all the time, it’s just a matter of patching them. Once you stop patching them, attackers start to get the advantage.

That said, be sure to upgrade your Mail-in-a-Box machines to Ubuntu LTS 18.04, if you have not already done so. Time is running out.

Here’s the information:
https://usn.ubuntu.com/usn/usn-3928-1
Ubuntu: CVE-2019-7524
Debian: https://security-tracker.debian.org/tracker/CVE-2019-7524
Priority: medium
(medium: “Open vulnerability that is a real problem and is exploitable for many users of the affected software. Examples include network daemon denial of service, cross-site scripting and gaining user privileges.”)


#2

Thanks. Mail-in-a-Box is likely affected. (Starting with v0.40 we don’t have FTS enabled, but all versions have had POP3 enabled.)

Since we have security updates installed automatically, I think everyone will get the fix within a day.

When I run:

dpkg -s dovecot-core | grep ^Version

I currently get version 1:2.2.33.2-1ubuntu4.2.

According to the Ubuntu link above, the fixed version is 1:2.2.33.2-1ubuntu4.3. Maybe in a few hours my box will install it…


#3

This morning my box has the latest version of dovecot-core (I didn’t do any manual upgrades) so I think we’re all set with the automatic update.


closed #4

This topic was automatically closed 6 days after the last reply. New replies are no longer allowed.