Vulnerability CVE-2021-33515: Information
Description
The submission service in Dovecot before 2.3.15 allows STARTTLS command injection in lib-smtp. Sensitive information can be redirected to an attacker-controlled address.
Severity: MEDIUM (4.8) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Fixed packages
Package name | Branch | Fixed in version | Version from repository | Errata ID | Task # | State |
---|---|---|---|---|---|---|
dovecot | sisyphus | 2.3.16-alt1 | 2.3.21-alt1 | ALT-PU-2021-2500-1 | 282488 | Fixed |
dovecot | p10 | 2.3.16-alt1 | 2.3.21-alt1 | ALT-PU-2021-2537-1 | 282504 | Fixed |
dovecot | p9 | 2.3.16-alt1 | 2.3.16-alt1 | ALT-PU-2021-2579-1 | 282506 | Fixed |
dovecot | c10f1 | 2.3.16-alt1 | 2.3.19.1-alt2 | ALT-PU-2021-2537-1 | 282504 | Fixed |
dovecot | c9f2 | 2.3.16-alt1 | 2.3.19.1-alt2 | ALT-PU-2021-2548-1 | 282505 | Fixed |
References to Advisories, Solutions, and Tools
Hyperlink | Resource |
---|---|
https://dovecot.org/security |
|
https://www.openwall.com/lists/oss-security/2021/06/28/2 |
|
GLSA-202107-41 |
|
[debian-lts-announce] 20220927 [SECURITY] [DLA 3122-1] dovecot security update |
|
FEDORA-2021-208340a217 | |
FEDORA-2021-891c1ab1ac |