Am 22.06.2021 um 11:11 schrieb lists@lazygranch.com:



On Mon, 21 Jun 2021 13:51:30 +0200
Timo Sirainen <timo@sirainen.com> wrote:

Open-Xchange Security Advisory 2021-06-21

Product: Dovecot
Vendor: OX Software GmbH
Internal reference: DOV-4583 (Bug ID)
Vulnerability type: CWE-74: Failure to Sanitize Data into a Different
Plane ('Injection') Vulnerable version: 2.3.0-2.3.14
Vulnerable component: submission
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 2.3.14.1
Vendor notification: 2021-05-21
Solution date: 2021-05-22
Public disclosure: 2021-06-21
CVE reference: CVE-2021-33515
CVSS: 4.2 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N)
Researcher credit: Fabian Ising and Damian Poddebniak of Münster
University of Applied Sciences

Vulnerability Details:

On-path attacker could inject plaintext commands before STARTTLS
negotiation that would be executed after STARTTLS finished with the
client. Only the SMTP submission service is affected.

Risk:

Attacker can potentially steal user credentials and mails. The
attacker needs to have sending permissions on the submission server
(a valid username and password).

Workaround:

None.

Solution:

Operators should update to 2.3.14.1 or later version.


Centos 7 has no repo with 2.3.15. I am using 2.2.36 (1f10bfa63). Is
this OK?


check https://repo.dovecot.org

/Götz