A flaw was found in dovecot before version 2.3.13. Mail parsing crashed when the 10 000th MIME part was message/rfc822 (or if parent was multipart/digest). This happened due to earlier MIME parsing changes for CVE-2020-12100. References: https://www.openwall.com/lists/oss-security/2021/01/04/3 https://dovecot.org/pipermail/dovecot-news/2021-January/000448.html
Created dovecot tracking bugs for this issue: Affects: fedora-all [bug 1912461]
Upstream commits: https://github.com/dovecot/core/commit/266e54b7b8c34c9a58dd60a2e53c5ca7d1deae19 https://github.com/dovecot/core/commit/fb97a1cddbda4019e327fa736972a1c7433fedaa
Mitigation: A potential mitigation is configuring the mail transfer agent to not accept messages with more than 10,000 MIME parts.
External References: https://dovecot.org/pipermail/dovecot-news/2021-January/000448.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:1887 https://access.redhat.com/errata/RHSA-2021:1887
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-25275