USN-4993-1: Dovecot vulnerabilities
21 June 2021
Several security issues were fixed in Dovecot.
- dovecot - IMAP and POP3 email server
Kirin discovered that Dovecot incorrectly escaped kid and azp fields in JWT
tokens. A local attacker could possibly use this issue to validate tokens
using arbitrary keys. This issue only affected Ubuntu 20.10 and Ubuntu
Fabian Ising and Damian Poddebniak discovered that Dovecot incorrectly
handled STARTTLS when using the SMTP submission service. A remote attacker
could possibly use this issue to inject plaintext commands before
STARTTLS negotiation. (CVE-2021-33515)
The problem can be corrected by updating your system to the following package versions:
In general, a standard system update will make all the necessary changes.