[manjaro-security] [ASA-201904-9] dovecot: denial of service

Remi Gacogne rgacogne at archlinux.org
Wed Apr 24 15:17:37 CEST 2019

Arch Linux Security Advisory ASA-201904-9

Severity: Medium
Date    : 2019-04-18
CVE-ID  : CVE-2019-10691
Package : dovecot
Type    : denial of service
Remote  : Yes
Link    : https://security.archlinux.org/AVG-950


The package dovecot before version is vulnerable to denial of


Upgrade to

# pacman -Syu "dovecot>="

The problem has been fixed upstream in version




JSON encoder in Dovecot 2.3 incorrectly assert-crashes when encountering
invalid UTF-8 characters. This can be used to crash dovecot in two
ways. Attacker can repeatedly crash Dovecot authentication process by
logging in using invalid UTF-8 sequence in username. This requires that
auth policy is enabled. Crash can also occur if OX push notification
driver is enabled and an email is delivered with invalid UTF-8 sequence
in From or Subject header. In 2.2, malformed UTF-8 sequences are
forwarded "as-is", and thus do not cause problems in Dovecot itself.
Target systems should be checked for possible problems in dealing with
such sequences.


An attacker is able to crash the dovecot process by making it process a
username or email containing an unsupported UTF-8 sequence.



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.manjaro.org/pipermail/manjaro-security/attachments/20190424/452f55c6/attachment-0001.sig>

More information about the manjaro-security mailing list