CVE-2020-25275

NameCVE-2020-25275
DescriptionDovecot before 2.3.13 has Improper Input Validation in lda, lmtp, and imap, leading to an application crash via a crafted email message with certain choices for ten thousand MIME parts.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-2517-1, DSA-4825-1
Debian Bugs979363

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
dovecot (PTS)bullseye1:2.3.13+dfsg1-2+deb11u1fixed
bullseye (security)1:2.3.13+dfsg1-2+deb11u2fixed
bookworm, bookworm (security)1:2.3.19.1+dfsg1-2.1+deb12u1fixed
sid, trixie1:2.3.21.1+dfsg1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
dovecotsourcestretch1:2.2.27-3+deb9u7DLA-2517-1
dovecotsourcebuster1:2.3.4.1-5+deb10u5DSA-4825-1
dovecotsource(unstable)1:2.3.13+dfsg1-1979363

Notes

https://dovecot.org/pipermail/dovecot-news/2021-January/000451.html
https://github.com/dovecot/core/commit/67f792cb98267ee74c425772e766e7a2525c0d8f
https://github.com/dovecot/core/commit/6ae93c3936fc870c313a6fdf44a0999d4129d9b8

Search for package or bug name: Reporting problems