<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><br class=""><div><br class=""><blockquote type="cite" class=""><div class="">Am 22.06.2021 um 11:11 schrieb <a href="mailto:lists@lazygranch.com" class="">lists@lazygranch.com</a>:</div><br class="Apple-interchange-newline"><div class=""><div class=""><br class=""><br class="">On Mon, 21 Jun 2021 13:51:30 +0200<br class="">Timo Sirainen <<a href="mailto:timo@sirainen.com" class="">timo@sirainen.com</a>> wrote:<br class=""><br class=""><blockquote type="cite" class="">Open-Xchange Security Advisory 2021-06-21<br class=""><br class="">Product: Dovecot<br class="">Vendor: OX Software GmbH<br class="">Internal reference: DOV-4583 (Bug ID)<br class="">Vulnerability type: CWE-74: Failure to Sanitize Data into a Different<br class="">Plane ('Injection') Vulnerable version: 2.3.0-2.3.14<br class="">Vulnerable component: submission<br class="">Report confidence: Confirmed<br class="">Solution status: Fixed by Vendor<br class="">Fixed version: 2.3.14.1<br class="">Vendor notification: 2021-05-21<br class="">Solution date: 2021-05-22<br class="">Public disclosure: 2021-06-21<br class="">CVE reference: CVE-2021-33515<br class="">CVSS: 4.2 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N)<br class="">Researcher credit: Fabian Ising and Damian Poddebniak of Münster<br class="">University of Applied Sciences<br class=""><br class="">Vulnerability Details:<br class=""><br class="">On-path attacker could inject plaintext commands before STARTTLS<br class="">negotiation that would be executed after STARTTLS finished with the<br class="">client. Only the SMTP submission service is affected.<br class=""><br class="">Risk:<br class=""><br class="">Attacker can potentially steal user credentials and mails. The<br class="">attacker needs to have sending permissions on the submission server<br class="">(a valid username and password).<br class=""><br class="">Workaround:<br class=""><br class="">None.<br class=""><br class="">Solution:<br class=""><br class="">Operators should update to 2.3.14.1 or later version.<br class=""><br class=""></blockquote><br class="">Centos 7 has no repo with 2.3.15. I am using 2.2.36 (1f10bfa63). Is<br class="">this OK?<br class=""><br class=""></div></div></blockquote><div><br class=""></div><div>check <a href="https://repo.dovecot.org" class="">https://repo.dovecot.org</a></div></div><div><br class=""></div><div>/Götz</div><style type="text/css" class="">
  @media only screen and (max-width:480px){

    .container {
      padding: 5px !important;
    }

    img {
      height: auto !important;
      max-width: 100% !important;
    }
  }
</style></body></html>