-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 28 Dec 2020 15:18:55 -0800 Source: dovecot Architecture: source Version: 1:2.3.4.1-5+deb10u5 Distribution: buster-security Urgency: high Maintainer: Dovecot Maintainers <dovecot@packages.debian.org> Changed-By: Noah Meyerhans <noahm@debian.org> Changes: dovecot (1:2.3.4.1-5+deb10u5) buster-security; urgency=high . * Import upstream fix for security issues: - CVE-2020-24386 - When imap hibernation is active, an attacker can cause Dovecot to discover file system directory structure and access other users' emails using specially crafted command. The attacker must have valid credentials to access the mail server. - CVE-2020-25275 - Mail delivery / parsing crashed when the 10 000th MIME part was message/rfc822 (or if parent was multipart/digest). Checksums-Sha1: 56e04cb1af0a6bc47d7defc6307d18de2b7b9492 3400 dovecot_2.3.4.1-5+deb10u5.dsc 3df91de7fa94587c4236cdcdedbc58db4086f4d1 559776 dovecot_2.3.4.1-5+deb10u5.debian.tar.xz 68505eb6f54bd90e1e79a57bc8d221ae9ae24208 8419 dovecot_2.3.4.1-5+deb10u5_source.buildinfo Checksums-Sha256: 41dc7f7f674d55e3ee16952cebad0cea2322faf929f70f27e58280d9734d63c5 3400 dovecot_2.3.4.1-5+deb10u5.dsc 6d0dd8738c7b9bf3014e00a6827e9601abcba75248e1c208c3e35eff7c380e53 559776 dovecot_2.3.4.1-5+deb10u5.debian.tar.xz 0f2ba7e903996ff2b1cebc71004d3ed8f823a9e890d683b35623c172e6d1c41e 8419 dovecot_2.3.4.1-5+deb10u5_source.buildinfo Files: fa7ae7cec977dcc25d51263512975849 3400 mail optional dovecot_2.3.4.1-5+deb10u5.dsc c3db6d62719359ce6cbd3a6740a793fb 559776 mail optional dovecot_2.3.4.1-5+deb10u5.debian.tar.xz d3e51b5efcfd655e5baa2905118b70b6 8419 mail optional dovecot_2.3.4.1-5+deb10u5_source.buildinfo -----BEGIN PGP SIGNATURE----- iQJFBAEBCgAvFiEE65xaF5r2LDCTz+zyV68+Bn2yWDMFAl/tThIRHG5vYWhtQGRl Ymlhbi5vcmcACgkQV68+Bn2yWDOc+xAAvBEwBNqoDG4XR/DN4twwoaum1dlONl8d Ugmpfk+K2SD5FQyHfDCXWhUko5x3l697S1g04kferKFOsoWS1h9IsNP9SqWYb70G gh14VnUmv1PTnxEvgPKMsc8YTETR600jKgEgAL4vNklz585ka+JqfJkx/S5bRNQQ 57zq112/EBuxJPzj6KgJu0o/BKg2s6uJX+9ZBg1V94PEuXWNAOc0jsOQD8Qwkmt6 Ch6lgqGRyIJCFZCWFPJzJkfMfDex2W6fmlYXCU1dQnKwocMkoAKrDW3En2+8Ufr7 XrER9tg9pW/68KNLTGCwFeh7APMUVj28zoMAi0Tw1IJ95Pvny2e9tT2uXGBqIYVB RlyMS7T5BLrQFAfQo7gxaX5MdNGwN/I383ABbVHFypiFQVv0wT9g85Eo2tjgOdvH NgrLxQuN5AFaXMcaf65RiHJcMZxcWgbbqwLw/40BGmrV3W7BXHql3aPZODatg6iI SlDITGkHZgRBZ/uZnBNaCW4ENu+hLIYVIE0WkKuzPivkgZA901BnX6yUmRWQC+K/ liTR5Vx8emqyk5DMeEiOBSt3oiVMCFNLVyjPI5bjcEOIlfaMXFyOCLhf5INHjM9t yU38LgEOnzs2HSR0LUbgsVc70Ir+cJgzOtpk8aCxiqVjW9erUSglQ3N+bhLLK56p CiNs87PXc4A= =NtN6 -----END PGP SIGNATURE-----