[BlueOnyx:24701] Re: Dovecot CVE-2020-24386
Michael Stauber
mstauber at blueonyx.it
Wed Jan 6 13:31:35 -05 2021
Hi all,
> https://dovecot.org/pipermail/dovecot-news/2021-January/000448.html
>
> They published a new version of Dovecot and it closes a vulnerability:
>
> * CVE-2020-24386: Specially crafted command can cause IMAP hibernate to
> allow logged in user to access other people's emails and filesystem
> information.
I just checked and according to
https://dovecot.org/pipermail/dovecot-news/2021-January/000450.html
Dovecot versions 2.2.26-2.3.11.3 are affected.
HOWEVER: They are only affected if "imap_hibernate_timeout" is enabled.
The Dovecot on both 5209R and 5210R does have this set to "0", so we're
good:
[root at 5210r ~]# egrep imap_hibernate_timeout /etc/dovecot/conf.d/*
/etc/dovecot/conf.d/20-imap.conf:#imap_hibernate_timeout = 0
[root at 5209r ~]# egrep imap_hibernate_timeout /etc/dovecot/conf.d/*
/etc/dovecot/conf.d/20-imap.conf:#imap_hibernate_timeout = 0
Means: We're good.
--
With best regards
Michael Stauber
More information about the Blueonyx
mailing list