CVE-2019-11500 log

Source
Severity Critical
Remote Yes
Type Arbitrary code execution
Description
IMAP and ManageSieve protocol parsers in Dovecot before 2.3.7.2 and Pigeonhole before 0.5.7.2 do not properly handle NUL byte when scanning data in quoted strings, leading to out of bounds heap memory writes.
Group Package Affected Fixed Severity Status Ticket
AVG-1027 pigeonhole 0.5.7.1-1 0.5.7.2-1 Critical Fixed
AVG-1026 dovecot 2.3.7.1-1 2.3.7.2-1 Critical Fixed
Date Advisory Group Package Severity Description
28 Aug 2019 ASA-201908-19 AVG-1027 pigeonhole Critical arbitrary code execution
28 Aug 2019 ASA-201908-18 AVG-1026 dovecot Critical arbitrary code execution
References
https://dovecot.org/pipermail/dovecot-news/2019-August/000418.html
https://github.com/dovecot/core/commit/85fcb895ca7f0bcb8ee72047fe0e1e78532ff90b
https://github.com/dovecot/core/commit/f904cbdfec25582bc5e2a7435bf82ff769f2526a
https://github.com/dovecot/pigeonhole/commit/7ce9990a5e6ba59e89b7fe1c07f574279aed922c
https://github.com/dovecot/pigeonhole/commit/4a299840cdb51f61f8d1ebc0210b19c40dfbc1cc