ASA-201904-9 generated external raw

[ASA-201904-9] dovecot: denial of service
Arch Linux Security Advisory ASA-201904-9 ========================================= Severity: Medium Date : 2019-04-18 CVE-ID : CVE-2019-10691 Package : dovecot Type : denial of service Remote : Yes Link : https://security.archlinux.org/AVG-950 Summary ======= The package <a href="/package/dovecot">dovecot</a> before version 2.3.5.2-1 is vulnerable to denial of service. Resolution ========== Upgrade to 2.3.5.2-1. # pacman -Syu "dovecot>=2.3.5.2-1" The problem has been fixed upstream in version 2.3.5.2. Workaround ========== None. Description =========== JSON encoder in <a href="/package/dovecot">Dovecot</a> 2.3 incorrectly assert-crashes when encountering invalid UTF-8 characters. This can be used to crash <a href="/package/dovecot">dovecot</a> in two ways. Attacker can repeatedly crash <a href="/package/dovecot">Dovecot</a> authentication process by logging in using invalid UTF-8 sequence in username. This requires that auth policy is enabled. Crash can also occur if OX push notification driver is enabled and an email is delivered with invalid UTF-8 sequence in From or Subject header. In 2.2, malformed UTF-8 sequences are forwarded "as-is", and thus do not cause problems in <a href="/package/dovecot">Dovecot</a> itself. Target systems should be checked for possible problems in dealing with such sequences. Impact ====== An attacker is able to crash the <a href="/package/dovecot">dovecot</a> process by making it process a username or email containing an unsupported UTF-8 sequence. References ========== https://wiki.dovecot.org/Authentication/Policy https://security.archlinux.org/CVE-2019-10691