As per upstream: Vulnerability Details: Dovecot's RPA mechanism implementation accepts zero-length message, which leads to assert-crash later on Risk: An adversary can use this vulnerability to crash dovecot auth process repeatedly, preventing login.
Created attachment 1710595 [details] Upstream patch
Acknowledgments: Name: the Dovecot project
Mitigation: Upstream suggests that this flaw can be mitigated by disabling RPA (Remote Passphrase Authentication). RPA can be disabled by using the configuration parameter "auth_mechanisms". More details available at: https://doc.dovecot.org/configuration_manual/authentication/authentication_mechanisms/
External References: https://dovecot.org/pipermail/dovecot-news/2020-August/000443.html
Created dovecot tracking bugs for this issue: Affects: fedora-all [bug 1868541]
Upstream patch: https://github.com/dovecot/core/commit/69ad3c902ea4bbf9f21ab1857d8923f975dc6145
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:3617 https://access.redhat.com/errata/RHSA-2020:3617
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-12674
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:3713 https://access.redhat.com/errata/RHSA-2020:3713
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions Via RHSA-2020:3735 https://access.redhat.com/errata/RHSA-2020:3735
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Extended Update Support Via RHSA-2020:3736 https://access.redhat.com/errata/RHSA-2020:3736