CVE-2020-25275

NameCVE-2020-25275
DescriptionDovecot before 2.3.13 has Improper Input Validation in lda, lmtp, and imap, leading to an application crash via a crafted email message with certain choices for ten thousand MIME parts.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-2517-1, DSA-4825-1
NVD severitymedium
Debian Bugs979363

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
dovecot (PTS)stretch1:2.2.27-3+deb9u5vulnerable
stretch (security)1:2.2.27-3+deb9u7fixed
buster1:2.3.4.1-5+deb10u6fixed
buster (security)1:2.3.4.1-5+deb10u5fixed
bullseye, sid1:2.3.13+dfsg1-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
dovecotsourcestretch1:2.2.27-3+deb9u7DLA-2517-1
dovecotsourcebuster1:2.3.4.1-5+deb10u5DSA-4825-1
dovecotsource(unstable)1:2.3.13+dfsg1-1979363

Notes

https://dovecot.org/pipermail/dovecot-news/2021-January/000451.html
https://github.com/dovecot/core/commit/67f792cb98267ee74c425772e766e7a2525c0d8f
https://github.com/dovecot/core/commit/6ae93c3936fc870c313a6fdf44a0999d4129d9b8

Search for package or bug name: Reporting problems