Security update for dovecot23

Announcement ID:	SUSE-SU-2019:2516-1
Rating:	important
References:	bsc#1133624 bsc#1133625 bsc#1145559
Cross-References:	CVE-2019-11494 CVE-2019-11499 CVE-2019-11500
CVSS scores:	CVE-2019-11494 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2019-11494 ( NVD ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2019-11499 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2019-11499 ( NVD ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2019-11500 ( SUSE ): 8.1 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2019-11500 ( NVD ): 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected Products:	Server Applications Module 15 SUSE Linux Enterprise High Performance Computing 15 SUSE Linux Enterprise Server 15 SUSE Linux Enterprise Server for SAP Applications 15

An update that solves three vulnerabilities can now be installed.

Description:

This update for dovecot23 fixes the following issue:

• CVE-2019-11500: Fixed the NUL byte handling in IMAP and ManageSieve protocol parsers. (bsc#1145559)
• CVE-2019-11499: Fixed a vulnerability where the submission-login would crash over a TLS secured channel (bsc#1133625).
• CVE-2019-11494: Fixed a denial of service if the authentication is aborted by disconnecting (bsc#1133624).

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• Server Applications Module 15
  zypper in -t patch SUSE-SLE-Module-Server-Applications-15-2019-2516=1

Package List:

• Server Applications Module 15 (aarch64 ppc64le s390x x86_64)
  • dovecot23-backend-sqlite-2.3.3-4.18.1
  • dovecot23-backend-mysql-debuginfo-2.3.3-4.18.1
  • dovecot23-backend-sqlite-debuginfo-2.3.3-4.18.1
  • dovecot23-devel-2.3.3-4.18.1
  • dovecot23-fts-squat-2.3.3-4.18.1
  • dovecot23-backend-pgsql-debuginfo-2.3.3-4.18.1
  • dovecot23-2.3.3-4.18.1
  • dovecot23-fts-2.3.3-4.18.1
  • dovecot23-fts-debuginfo-2.3.3-4.18.1
  • dovecot23-backend-pgsql-2.3.3-4.18.1
  • dovecot23-debuginfo-2.3.3-4.18.1
  • dovecot23-debugsource-2.3.3-4.18.1
  • dovecot23-fts-lucene-2.3.3-4.18.1
  • dovecot23-fts-squat-debuginfo-2.3.3-4.18.1
  • dovecot23-fts-solr-2.3.3-4.18.1
  • dovecot23-fts-lucene-debuginfo-2.3.3-4.18.1
  • dovecot23-backend-mysql-2.3.3-4.18.1
  • dovecot23-fts-solr-debuginfo-2.3.3-4.18.1

References:

• https://www.suse.com/security/cve/CVE-2019-11494.html
• https://www.suse.com/security/cve/CVE-2019-11499.html
• https://www.suse.com/security/cve/CVE-2019-11500.html
• https://bugzilla.suse.com/show_bug.cgi?id=1133624
• https://bugzilla.suse.com/show_bug.cgi?id=1133625
• https://bugzilla.suse.com/show_bug.cgi?id=1145559