As per upstream: Vulnerability Details: Dovecot's NTLM implementation does not correctly check message buffer size, which leads to reading past allocation which can lead to crash. Risk: An adversary can use this vulnerability to crash dovecot auth process repeatedly, preventing login.
Created attachment 1710594 [details] Upstream patch
Mitigation: Upstream suggests that this flaw can be mitigated by disabling NTLM authentication. NTLM authentication can be disabled by using the configuration parameter "auth_mechanisms". More details available at: https://doc.dovecot.org/configuration_manual/authentication/authentication_mechanisms/
Acknowledgments: Name: the Dovecot project
External References: https://dovecot.org/pipermail/dovecot-news/2020-August/000442.html
Created dovecot tracking bugs for this issue: Affects: fedora-all [bug 1868540]
Upstream patch: https://github.com/dovecot/core/commit/fb246611e62ad8c5a95b0ca180a63f17aa34b0d8
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:3617 https://access.redhat.com/errata/RHSA-2020:3617
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-12673
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:3713 https://access.redhat.com/errata/RHSA-2020:3713
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions Via RHSA-2020:3735 https://access.redhat.com/errata/RHSA-2020:3735
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Extended Update Support Via RHSA-2020:3736 https://access.redhat.com/errata/RHSA-2020:3736