{"id":"MGASA-2021-0557","summary":"Updated dovecot packages fix security vulnerabilities","details":"Updated dovecot packages fix security vulnerabilities:\n\nThe Sieve engine in Dovecot before 2.3.15 allows Uncontrolled Resource\nConsumption, as demonstrated by a situation with a complex regular\nexpression for the regex extension (CVE-2020-28200).\n\nDovecot before 2.3.15 allows ../ Path Traversal. An attacker with access\nto the local filesystem can trick OAuth2 authentication into using an HS256\nvalidation key from an attacker-controlled location. This occurs during use\nof local JWT validation with the posix fs driver (CVE-2021-29157).\n\nThe submission service in Dovecot before 2.3.15 allows STARTTLS command\ninjection in lib-smtp. Sensitive information can be redirected to an\nattacker-controlled address (CVE-2021-33515).\n","modified":"2026-02-04T02:44:14.088748Z","published":"2021-12-19T12:26:08Z","related":["CVE-2020-28200","CVE-2021-29157","CVE-2021-33515"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2021-0557.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=29160"},{"type":"REPORT","url":"https://dovecot.org/pipermail/dovecot-news/2021-June/000460.html"},{"type":"REPORT","url":"https://dovecot.org/pipermail/dovecot-news/2021-June/000461.html"},{"type":"REPORT","url":"https://dovecot.org/pipermail/dovecot-news/2021-June/000462.html"},{"type":"REPORT","url":"https://dovecot.org/pipermail/dovecot-news/2021-June/000459.html"},{"type":"REPORT","url":"https://dovecot.org/pipermail/dovecot-news/2021-June/000457.html"},{"type":"REPORT","url":"https://dovecot.org/pipermail/dovecot-news/2021-October/000465.html"},{"type":"REPORT","url":"https://dovecot.org/pipermail/dovecot-news/2021-December/000468.html"}],"affected":[{"package":{"name":"dovecot","ecosystem":"Mageia:8","purl":"pkg:rpm/mageia/dovecot?arch=source&distro=mageia-8"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.3.17.1-1.1.mga8"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2021-0557.json"}}],"schema_version":"1.7.3","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}