Bug 1973611 (CVE-2020-28200)

Summary: CVE-2020-28200 dovecot: insufficient protection against excessive resource usage allows for a DoS
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: anon.amish, bennie.joubert, cbuissar, janfrode, mhlavink, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: dovecot 2.3.15 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-29 07:21:06 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1974394, 1980017, 1980018, 1980019    
Bug Blocks: 1973612    

Description Marian Rehak 2021-06-18 10:21:28 UTC 
Sieve interpreter is not protected against abusive scripts that claim excessive resource usage. Especially scripts using massive amounts of regexps. Attacker can DoS the mail delivery system by using excessive amount of CPU and/or reaching the lmtp/lda process limits.


Workaround: Disabling the regex sieve extension avoids the worst problems. lmtp_user_concurrency_limit may also be helpful.

Reference : https://dovecot.org/pipermail/dovecot-news/2021-June/000460.html
Comment 1 Guilherme de Almeida Suckevicz 2021-06-21 14:49:25 UTC 
Created dovecot tracking bugs for this issue:

Affects: fedora-all [bug 1974394]