[manjaro-security] [ASA-201904-9] dovecot: denial of service
rgacogne at archlinux.org
Wed Apr 24 15:17:37 CEST 2019
Arch Linux Security Advisory ASA-201904-9
Date : 2019-04-18
CVE-ID : CVE-2019-10691
Package : dovecot
Type : denial of service
Remote : Yes
Link : https://security.archlinux.org/AVG-950
The package dovecot before version 18.104.22.168-1 is vulnerable to denial of
Upgrade to 22.214.171.124-1.
# pacman -Syu "dovecot>=126.96.36.199-1"
The problem has been fixed upstream in version 188.8.131.52.
JSON encoder in Dovecot 2.3 incorrectly assert-crashes when encountering
invalid UTF-8 characters. This can be used to crash dovecot in two
ways. Attacker can repeatedly crash Dovecot authentication process by
logging in using invalid UTF-8 sequence in username. This requires that
auth policy is enabled. Crash can also occur if OX push notification
driver is enabled and an email is delivered with invalid UTF-8 sequence
in From or Subject header. In 2.2, malformed UTF-8 sequences are
forwarded "as-is", and thus do not cause problems in Dovecot itself.
Target systems should be checked for possible problems in dealing with
An attacker is able to crash the dovecot process by making it process a
username or email containing an unsupported UTF-8 sequence.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: OpenPGP digital signature
More information about the manjaro-security