FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-04-18 11:12:36 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML ID	Description
d18f431d-d360-11eb-a32c-00a0989e4ec1	dovecot -- multiple vulnerabilities Dovecot team reports: CVE-2021-29157: Dovecot does not correctly escape kid and azp fields in JWT tokens. This may be used to supply attacker controlled keys to validate tokens in some configurations. This requires attacker to be able to write files to local disk. CVE-2021-33515: On-path attacker could inject plaintext commands before STARTTLS negotiation that would be executed after STARTTLS finished with the client. Only the SMTP submission service is affected. Discovery 2021-03-22 Entry 2021-06-22 dovecot ge 2.3.11 lt 2.3.14.1 CVE-2021-29157 https://dovecot.org/pipermail/dovecot-news/2021-June/000461.html CVE-2021-33515 https://dovecot.org/pipermail/dovecot-news/2021-June/000462.html
bd98066d-4ea4-11eb-b412-e86a64caca56	mail/dovecot -- multiple vulnerabilities Aki Tuomi reports: When imap hibernation is active, an attacker can cause Dovecot to discover file system directory structure and access other users' emails using specially crafted command. The attacker must have valid credentials to access the mail server. Mail delivery / parsing crashed when the 10 000th MIME part was message/rfc822 (or if parent was multipart/digest). This happened due to earlier MIME parsing changes for CVE-2020-12100. Discovery 2020-08-17 Entry 2021-01-04 dovecot < 2.3.13 https://dovecot.org/pipermail/dovecot-news/2021-January/000448.html CVE-2020-24386 CVE-2020-25275

VuXML ID

Description

d18f431d-d360-11eb-a32c-00a0989e4ec1

dovecot -- multiple vulnerabilities

Dovecot team reports:

CVE-2021-29157: Dovecot does not correctly escape kid and azp fields in JWT tokens. This may be used to supply attacker controlled keys to validate tokens in some configurations. This requires attacker to be able to write files to local disk.

CVE-2021-33515: On-path attacker could inject plaintext commands before STARTTLS negotiation that would be executed after STARTTLS finished with the client. Only the SMTP submission service is affected.

Discovery 2021-03-22
Entry 2021-06-22
dovecot

ge 2.3.11 lt 2.3.14.1

CVE-2021-29157
https://dovecot.org/pipermail/dovecot-news/2021-June/000461.html
CVE-2021-33515
https://dovecot.org/pipermail/dovecot-news/2021-June/000462.html

bd98066d-4ea4-11eb-b412-e86a64caca56

mail/dovecot -- multiple vulnerabilities

Aki Tuomi reports:

When imap hibernation is active, an attacker can cause Dovecot to discover file system directory structure and access other users' emails using specially crafted command. The attacker must have valid credentials to access the mail server.

Mail delivery / parsing crashed when the 10 000th MIME part was message/rfc822 (or if parent was multipart/digest). This happened due to earlier MIME parsing changes for CVE-2020-12100.

Discovery 2020-08-17
Entry 2021-01-04
dovecot

< 2.3.13

https://dovecot.org/pipermail/dovecot-news/2021-January/000448.html
CVE-2020-24386
CVE-2020-25275