[BlueOnyx:24702] Re: Dovecot CVE-2020-24386
Meaulnes Legler @ MailList
bluelist at waveweb.ch
Thu Jan 7 02:54:21 -05 2021
man! Michael, I'm each time impressed about your detailed knowledge in all fields and topics for running our webservers
thank you for taking care!
a hopefully pleasant 2021
バ⊇ Meaulnes Legler
Zurich, Switzerland
+41¦0 44 260-1660
On 06.01.21 19:31, Michael Stauber wrote:
> Hi all,
>
>> https://dovecot.org/pipermail/dovecot-news/2021-January/000448.html
>>
>> They published a new version of Dovecot and it closes a vulnerability:
>>
>> * CVE-2020-24386: Specially crafted command can cause IMAP hibernate to
>> allow logged in user to access other people's emails and filesystem
>> information.
>
> I just checked and according to
> https://dovecot.org/pipermail/dovecot-news/2021-January/000450.html
> Dovecot versions 2.2.26-2.3.11.3 are affected.
>
> HOWEVER: They are only affected if "imap_hibernate_timeout" is enabled.
>
> The Dovecot on both 5209R and 5210R does have this set to "0", so we're
> good:
>
> [root at 5210r ~]# egrep imap_hibernate_timeout /etc/dovecot/conf.d/*
> /etc/dovecot/conf.d/20-imap.conf:#imap_hibernate_timeout = 0
>
> [root at 5209r ~]# egrep imap_hibernate_timeout /etc/dovecot/conf.d/*
> /etc/dovecot/conf.d/20-imap.conf:#imap_hibernate_timeout = 0
>
> Means: We're good.
>
More information about the Blueonyx
mailing list