ASA-201904-9 log original external raw
[ASA-201904-9] dovecot: denial of service |
---|
Arch Linux Security Advisory ASA-201904-9
=========================================
Severity: Medium
Date : 2019-04-18
CVE-ID : CVE-2019-10691
Package : dovecot
Type : denial of service
Remote : Yes
Link : https://security.archlinux.org/AVG-950
Summary
=======
The package dovecot before version 2.3.5.2-1 is vulnerable to denial of
service.
Resolution
==========
Upgrade to 2.3.5.2-1.
# pacman -Syu "dovecot>=2.3.5.2-1"
The problem has been fixed upstream in version 2.3.5.2.
Workaround
==========
None.
Description
===========
JSON encoder in Dovecot 2.3 incorrectly assert-crashes when
encountering invalid UTF-8 characters. This can be used to crash
dovecot in two ways. Attacker can repeatedly crash Dovecot
authentication process by logging in using invalid UTF-8 sequence in
username. This requires that auth policy is enabled. Crash can also
occur if OX push notification driver is enabled and an email is
delivered with invalid UTF-8 sequence in From or Subject header. In
2.2, malformed UTF-8 sequences are forwarded "as-is", and thus do not
cause problems in Dovecot itself. Target systems should be checked for
possible problems in dealing with such sequences.
Impact
======
An attacker is able to crash the dovecot process by making it process a
username or email containing an unsupported UTF-8 sequence.
References
==========
https://wiki.dovecot.org/Authentication/Policy
https://security.archlinux.org/CVE-2019-10691
|