SuSE Local Security Checks : SUSE: Security Advisory (SUSE-SU-2019:0414-1)

Vulnerability Search		Search 324607 CVE descriptions and 145615 test descriptions, access 10,000+ cross references.
	Tests CVE All

Test ID: 1.3.6.1.4.1.25623.1.1.4.2019.0414.1

Category: SuSE Local Security Checks

Title: SUSE: Security Advisory (SUSE-SU-2019:0414-1)

Summary: The remote host is missing an update for the 'dovecot23' package(s) announced via the SUSE-SU-2019:0414-1 advisory.

Description: Summary:
The remote host is missing an update for the 'dovecot23' package(s) announced via the SUSE-SU-2019:0414-1 advisory.

Vulnerability Insight:
This update for dovecot23 fixes the following issues:

dovecot was updated to 2.3.3 release, bringing lots of bugfixes
(bsc#1124356).

Also the following security issue was fixed:
CVE-2019-3814: A vulnerability in Dovecot related to SSL client
certificate authentication was fixed (bsc#1123022)

The package changes:

Updated pigeonhole to 0.5.3:
Fix assertion panic occurring when managesieve service fails to
open INBOX while saving a Sieve script. This was caused by a lack of
cleanup after failure.

Fix specific messages causing an assert panic with actions that compose
a reply (e.g. vacation). With some rather weird input from the original
message, the header folding algorithm (as used for composing the
References header for the reply) got confused, causing the panic.

IMAP FILTER=SIEVE capability: Fix FILTER SIEVE SCRIPT command parsing.
After finishing reading the Sieve script, the command parsing sometimes
didn't continue with the search arguments. This is a time- critical bug
that likely only occurs when the Sieve script is sent in the next TCP
frame.

dovecot23 was updated to 2.3.3:
doveconf hides more secrets now in the default output.

ssl_dh setting is no longer enforced at startup. If it's not set and
non-ECC DH key exchange happens, error is logged and client is
disconnected.

Added log_debug= setting.

Added log_core_filter= setting.

quota-clone: Write to dict asynchronously

--enable-hardening attempts to use retpoline Spectre 2 mitigations

lmtp proxy: Support source_ip passdb extra field.

doveadm stats dump: Support more fields and output stddev by default.

push-notification: Add SSL support for OX backend.

NUL bytes in mail headers can cause truncated replies when fetched.

director: Conflicting host up/down state changes may in some rare
situations ended up in a loop of two directors constantly
overwriting each others' changes.

director: Fix hang/crash when multiple doveadm commands are being
handled concurrently.

director: Fix assert-crash if doveadm disconnects too early

virtual plugin: Some searches used 100% CPU for many seconds

dsync assert-crashed with acl plugin in some situations. (bsc#1119850)

mail_attachment_detection_options=add-flags-on-save assert-crashed with
some specific Sieve scripts.

Mail snippet generation crashed with mails containing invalid
Content-Type:multipart header.

Log prefix ordering was different for some log lines.

quota: With noenforcing option current quota usage wasn't updated.

auth: Kerberos authentication against Samba assert-crashed.

stats clients were unnecessarily chatty with the stats server.

imapc: Fixed various assert-crashes when reconnecting to server.

lmtp, submission: Fix potential crash if client disconnects while
handling a command.

quota: Fixed compiling with glibc-2.26 / support libtirpc.

fts-solr: Empty search values resulted in 400 Bad Request errors

fts-solr: ... [Please see the references for more information on the vulnerabilities]

Affected Software/OS:
'dovecot23' package(s) on SUSE Linux Enterprise Module for Server Applications 15.

Solution:
Please install the updated package(s).

CVSS Score:
4.9

CVSS Vector:
AV:N/AC:M/Au:S/C:P/I:P/A:N

Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2019-3814
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QHFZ5OWRIZGIWZJ5PTNVWWZNLLNH4XYS/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4XLI55NGRDTGMVOPYFCPPFNPA5VKYSSY/
https://security.gentoo.org/glsa/201904-19
https://www.dovecot.org/list/dovecot/2019-February/114575.html
RedHat Security Advisories: RHSA-2019:3467
https://access.redhat.com/errata/RHSA-2019:3467
SuSE Security Announcement: openSUSE-SU-2019:1220 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00067.html

Copyright Copyright (C) 2021 Greenbone AG

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit.
To run a free test of this vulnerability against your system, register below.

Test ID:	1.3.6.1.4.1.25623.1.1.4.2019.0414.1
Category:	SuSE Local Security Checks
Title:	SUSE: Security Advisory (SUSE-SU-2019:0414-1)
Summary:	The remote host is missing an update for the 'dovecot23' package(s) announced via the SUSE-SU-2019:0414-1 advisory.
Description:	Summary: The remote host is missing an update for the 'dovecot23' package(s) announced via the SUSE-SU-2019:0414-1 advisory. Vulnerability Insight: This update for dovecot23 fixes the following issues: dovecot was updated to 2.3.3 release, bringing lots of bugfixes (bsc#1124356). Also the following security issue was fixed: CVE-2019-3814: A vulnerability in Dovecot related to SSL client certificate authentication was fixed (bsc#1123022) The package changes: Updated pigeonhole to 0.5.3: Fix assertion panic occurring when managesieve service fails to open INBOX while saving a Sieve script. This was caused by a lack of cleanup after failure. Fix specific messages causing an assert panic with actions that compose a reply (e.g. vacation). With some rather weird input from the original message, the header folding algorithm (as used for composing the References header for the reply) got confused, causing the panic. IMAP FILTER=SIEVE capability: Fix FILTER SIEVE SCRIPT command parsing. After finishing reading the Sieve script, the command parsing sometimes didn't continue with the search arguments. This is a time- critical bug that likely only occurs when the Sieve script is sent in the next TCP frame. dovecot23 was updated to 2.3.3: doveconf hides more secrets now in the default output. ssl_dh setting is no longer enforced at startup. If it's not set and non-ECC DH key exchange happens, error is logged and client is disconnected. Added log_debug= setting. Added log_core_filter= setting. quota-clone: Write to dict asynchronously --enable-hardening attempts to use retpoline Spectre 2 mitigations lmtp proxy: Support source_ip passdb extra field. doveadm stats dump: Support more fields and output stddev by default. push-notification: Add SSL support for OX backend. NUL bytes in mail headers can cause truncated replies when fetched. director: Conflicting host up/down state changes may in some rare situations ended up in a loop of two directors constantly overwriting each others' changes. director: Fix hang/crash when multiple doveadm commands are being handled concurrently. director: Fix assert-crash if doveadm disconnects too early virtual plugin: Some searches used 100% CPU for many seconds dsync assert-crashed with acl plugin in some situations. (bsc#1119850) mail_attachment_detection_options=add-flags-on-save assert-crashed with some specific Sieve scripts. Mail snippet generation crashed with mails containing invalid Content-Type:multipart header. Log prefix ordering was different for some log lines. quota: With noenforcing option current quota usage wasn't updated. auth: Kerberos authentication against Samba assert-crashed. stats clients were unnecessarily chatty with the stats server. imapc: Fixed various assert-crashes when reconnecting to server. lmtp, submission: Fix potential crash if client disconnects while handling a command. quota: Fixed compiling with glibc-2.26 / support libtirpc. fts-solr: Empty search values resulted in 400 Bad Request errors fts-solr: ... [Please see the references for more information on the vulnerabilities] Affected Software/OS: 'dovecot23' package(s) on SUSE Linux Enterprise Module for Server Applications 15. Solution: Please install the updated package(s). CVSS Score: 4.9 CVSS Vector: AV:N/AC:M/Au:S/C:P/I:P/A:N
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2019-3814 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QHFZ5OWRIZGIWZJ5PTNVWWZNLLNH4XYS/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4XLI55NGRDTGMVOPYFCPPFNPA5VKYSSY/ https://security.gentoo.org/glsa/201904-19 https://www.dovecot.org/list/dovecot/2019-February/114575.html RedHat Security Advisories: RHSA-2019:3467 https://access.redhat.com/errata/RHSA-2019:3467 SuSE Security Announcement: openSUSE-SU-2019:1220 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00067.html
Copyright	Copyright (C) 2021 Greenbone AG