[ASA-201904-9] dovecot: denial of service
Arch Linux Security Advisory ASA-201904-9 ========================================= Severity: Medium Date : 2019-04-18 CVE-ID : CVE-2019-10691 Package : dovecot Type : denial of service Remote : Yes Link : https://security.archlinux.org/AVG-950 Summary ======= The package dovecot before version 2.3.5.2-1 is vulnerable to denial of service. Resolution ========== Upgrade to 2.3.5.2-1. # pacman -Syu "dovecot>=2.3.5.2-1" The problem has been fixed upstream in version 2.3.5.2. Workaround ========== None. Description =========== JSON encoder in Dovecot 2.3 incorrectly assert-crashes when encountering invalid UTF-8 characters. This can be used to crash dovecot in two ways. Attacker can repeatedly crash Dovecot authentication process by logging in using invalid UTF-8 sequence in username. This requires that auth policy is enabled. Crash can also occur if OX push notification driver is enabled and an email is delivered with invalid UTF-8 sequence in From or Subject header. In 2.2, malformed UTF-8 sequences are forwarded "as-is", and thus do not cause problems in Dovecot itself. Target systems should be checked for possible problems in dealing with such sequences. Impact ====== An attacker is able to crash the dovecot process by making it process a username or email containing an unsupported UTF-8 sequence. References ========== https://wiki.dovecot.org/Authentication/Policy https://security.archlinux.org/CVE-2019-10691
participants (1)
-
Remi Gacogne