Tuesday 19th May 2020
Fedora Project
Updated perl-Text-CSV_XS to 1.42 in Rawhide:
Update to Devel::PPPort-3.58
Unicode fixes for csv2xls and csv2xlsx
- Add internal buffers to cache diagnostics
Fix positional reporting in examples/csv-check
Allow passing CSV parsing attributes to csv-check
Proof reading - doc fixes by Klaus Baldermann <soonix> (GH#21)
Fix type caching (CPAN RT#132344)
Small doc fix by Nick Tonkin <1nickt> (GH#22)
Fix sep=; being ignored in ->header (GH#23)
Local Packages
Updated dovecot to 2.3.10.1:
CVE-2020-10957: lmtp/submission: A client can crash the server by sending a NOOP command with an invalid string parameter
- This occurs particularly for a parameter that doesn't start with a double quote
This applies to all SMTP services, including submission-login, which makes it possible to crash the submission service without authentication
CVE-2020-10958: lmtp/submission: Sending many invalid or unknown commands can cause the server to access freed memory, which can lead to a server crash
This happens when the server closes the connection with a "421 Too many invalid commands" error; the bad command limit depends on the service (lmtp or submission) and varies between 10 to 20 bad commands
CVE-2020-10967: lmtp/submission: Issuing the RCPT command with an address that has the empty quoted string as local-part causes the lmtp service to crash
Updated nmap (7.80) not to assert-crash on unsolicited ARP response (Bug #1836989)
Updated perl-Text-CSV_XS to 1.42 as per the Fedora version