[ASA-201904-9] dovecot: denial of service
Remi Gacogne
rgacogne at archlinux.org
Wed Apr 24 13:17:37 UTC 2019
Arch Linux Security Advisory ASA-201904-9
=========================================
Severity: Medium
Date : 2019-04-18
CVE-ID : CVE-2019-10691
Package : dovecot
Type : denial of service
Remote : Yes
Link : https://security.archlinux.org/AVG-950
Summary
=======
The package dovecot before version 2.3.5.2-1 is vulnerable to denial of
service.
Resolution
==========
Upgrade to 2.3.5.2-1.
# pacman -Syu "dovecot>=2.3.5.2-1"
The problem has been fixed upstream in version 2.3.5.2.
Workaround
==========
None.
Description
===========
JSON encoder in Dovecot 2.3 incorrectly assert-crashes when encountering
invalid UTF-8 characters. This can be used to crash dovecot in two
ways. Attacker can repeatedly crash Dovecot authentication process by
logging in using invalid UTF-8 sequence in username. This requires that
auth policy is enabled. Crash can also occur if OX push notification
driver is enabled and an email is delivered with invalid UTF-8 sequence
in From or Subject header. In 2.2, malformed UTF-8 sequences are
forwarded "as-is", and thus do not cause problems in Dovecot itself.
Target systems should be checked for possible problems in dealing with
such sequences.
Impact
======
An attacker is able to crash the dovecot process by making it process a
username or email containing an unsupported UTF-8 sequence.
References
==========
https://wiki.dovecot.org/Authentication/Policy
https://security.archlinux.org/CVE-2019-10691
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20190424/452f55c6/attachment-0001.sig>
More information about the arch-security
mailing list