ArchLinux: 201904-9: dovecot: denial of service

    Date24 Apr 2019
    CategoryArchLinux
    300
    Posted ByLinuxSecurity Advisories
    The package dovecot before version 2.3.5.2-1 is vulnerable to denial of service.
    Arch Linux Security Advisory ASA-201904-9
    =========================================
    
    Severity: Medium
    Date    : 2019-04-18
    CVE-ID  : CVE-2019-10691
    Package : dovecot
    Type    : denial of service
    Remote  : Yes
    Link    : https://security.archlinux.org/AVG-950
    
    Summary
    =======
    
    The package dovecot before version 2.3.5.2-1 is vulnerable to denial of
    service.
    
    Resolution
    ==========
    
    Upgrade to 2.3.5.2-1.
    
    # pacman -Syu "dovecot>=2.3.5.2-1"
    
    The problem has been fixed upstream in version 2.3.5.2.
    
    Workaround
    ==========
    
    None.
    
    Description
    ===========
    
    JSON encoder in Dovecot 2.3 incorrectly assert-crashes when encountering
    invalid UTF-8 characters. This can be used to crash dovecot in two
    ways. Attacker can repeatedly crash Dovecot authentication process by
    logging in using invalid UTF-8 sequence in username. This requires that
    auth policy is enabled. Crash can also occur if OX push notification
    driver is enabled and an email is delivered with invalid UTF-8 sequence
    in From or Subject header. In 2.2, malformed UTF-8 sequences are
    forwarded "as-is", and thus do not cause problems in Dovecot itself.
    Target systems should be checked for possible problems in dealing with
    such sequences.
    
    Impact
    ======
    
    An attacker is able to crash the dovecot process by making it process a
    username or email containing an unsupported UTF-8 sequence.
    
    References
    ==========
    
    https://wiki.dovecot.org/Authentication/Policy
    https://security.archlinux.org/CVE-2019-10691
    
    
    You are not authorised to post comments.

    LinuxSecurity Poll

    What is your favorite LinuxSecurity.com feature?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /component/communitypolls/?task=poll.vote
    17
    radio
    [{"id":"65","title":"Feature articles","votes":"0","type":"x","order":"1","pct":0,"resources":[]},{"id":"66","title":"News","votes":"0","type":"x","order":"2","pct":0,"resources":[]},{"id":"67","title":"HOWTOs","votes":"0","type":"x","order":"3","pct":0,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.