ArchLinux: 201705-1: dovecot: denial of service
Summary
A security issue has been found in Dovecot >= 2.2.26 and <= 2.2.28. If the "dict" passdb is used for authentication, the username sent by the client is passed to the var_expand() function and double expansion of %-variables is performed. A remote unauthenticated attacker could then send a specially crafted username containing %variables to cause a denial of service.
Resolution
Upgrade to 2.2.29.1-1.
# pacman -Syu "dovecot>=2.2.29.1-1"
The problem has been fixed upstream in version 2.2.29.1.
References
https://dovecot.org/list/dovecot-news/2017-April/000341.html https://github.com/dovecot/core/commit/000030feb7a30f193197f1aab8a7b04a26b42735.patch https://security.archlinux.org/CVE-2017-2669
Workaround
None.