ALAS-2020-1435

A flaw was found in dovecot. A remote attacker could cause a denial of service by repeatedly sending emails containing MIME parts containing malicious content of which dovecot will attempt to parse. The highest threat from this vulnerability is to system availability. In Dovecot before 2.3.11.3, uncontrolled recursion in submission, lmtp, and lda allows remote attackers to cause a denial of service (resource consumption) via a crafted e-mail message with deeply nested MIME parts. (CVE-2020-12100)

In Dovecot before 2.3.11.3, sending a specially formatted NTLM request will crash the auth service because of an out-of-bounds read. A flaw was found in dovecot. An out-of-bounds read flaw was found in the way dovecot handled NTLM authentication allowing an attacker to crash the dovecot auth process repeatedly preventing login. The highest threat from this vulnerability is to system availability. (CVE-2020-12673)

In Dovecot before 2.3.11.3, sending a specially formatted RPA request will crash the auth service because a length of zero is mishandled. A flaw was found in dovecot. An attacker can use the way dovecot handles RPA (Remote Passphrase Authentication) to crash the authentication process repeatedly preventing login. The highest threat from this vulnerability is to system availability. (CVE-2020-12674)

i686:
    dovecot-devel-2.2.36-6.21.amzn1.i686
    dovecot-pgsql-2.2.36-6.21.amzn1.i686
    dovecot-mysql-2.2.36-6.21.amzn1.i686
    dovecot-2.2.36-6.21.amzn1.i686
    dovecot-debuginfo-2.2.36-6.21.amzn1.i686
    dovecot-pigeonhole-2.2.36-6.21.amzn1.i686

src:
    dovecot-2.2.36-6.21.amzn1.src

x86_64:
    dovecot-pgsql-2.2.36-6.21.amzn1.x86_64
    dovecot-mysql-2.2.36-6.21.amzn1.x86_64
    dovecot-devel-2.2.36-6.21.amzn1.x86_64
    dovecot-pigeonhole-2.2.36-6.21.amzn1.x86_64
    dovecot-debuginfo-2.2.36-6.21.amzn1.x86_64
    dovecot-2.2.36-6.21.amzn1.x86_64