CVE-2021-33515: SMTP Submission service STARTTLS injection
Timo Sirainen
timo at sirainen.com
Tue Jun 22 14:19:14 EEST 2021
On 22. Jun 2021, at 11.11, lists at lazygranch.com wrote:
>
>> Vulnerability Details:
>>
>> On-path attacker could inject plaintext commands before STARTTLS
>> negotiation that would be executed after STARTTLS finished with the
>> client. Only the SMTP submission service is affected.
>
> Centos 7 has no repo with 2.3.15. I am using 2.2.36 (1f10bfa63). Is
> this OK?
>
> This is my personal server, hence all the accounts are mine, so it
> isn't like I am going to hack myself.
Only the submission service is vulnerable, and v2.2.36 doesn't have the submission service at all. So it's not vulnerable to this.
And for the Sieve excessive resource usage it's not really a problem especially with personals servers.
More information about the dovecot
mailing list