ASA-201904-9 log generated external raw

[ASA-201904-9] dovecot: denial of service
Arch Linux Security Advisory ASA-201904-9 ========================================= Severity: Medium Date : 2019-04-18 CVE-ID : CVE-2019-10691 Package : dovecot Type : denial of service Remote : Yes Link : Summary ======= The package dovecot before version is vulnerable to denial of service. Resolution ========== Upgrade to # pacman -Syu "dovecot>=" The problem has been fixed upstream in version Workaround ========== None. Description =========== JSON encoder in Dovecot 2.3 incorrectly assert-crashes when encountering invalid UTF-8 characters. This can be used to crash dovecot in two ways. Attacker can repeatedly crash Dovecot authentication process by logging in using invalid UTF-8 sequence in username. This requires that auth policy is enabled. Crash can also occur if OX push notification driver is enabled and an email is delivered with invalid UTF-8 sequence in From or Subject header. In 2.2, malformed UTF-8 sequences are forwarded "as-is", and thus do not cause problems in Dovecot itself. Target systems should be checked for possible problems in dealing with such sequences. Impact ====== An attacker is able to crash the dovecot process by making it process a username or email containing an unsupported UTF-8 sequence. References ==========