CVE-2020-28200 log

Source	CVE Red Hat MITRE NVD Debian Ubuntu SUSE Alpine Mageia CVE Details CIRCL Bugs Arch Linux Red Hat Gentoo SUSE GitHub Lists oss-security full-disclosure bugtraq Misc GitHub code web search
Severity	Medium
Remote	Yes
Type	Denial of service
Description	A security issue has been found in Pigeonhole before version 0.5.15. The Sieve interpreter is not protected against abusive scripts that claim excessive resource usage, especially scripts using massive amounts of regexps. This means an attacker can cause a denial of service of the mail delivery system by using excessive amount of CPU and/or reaching the lmtp/lda process limits.

Group	Package	Affected	Fixed	Severity	Status	Ticket
AVG-2088	pigeonhole	0.5.14-1	0.5.15-1	Medium	Fixed

Date	Advisory	Group	Package	Severity	Type
22 Jun 2021	ASA-202106-57	AVG-2088	pigeonhole	Medium	denial of service

References
https://dovecot.org/pipermail/dovecot-news/2021-June/000458.html https://dovecot.org/pipermail/dovecot-news/2021-June/000460.html https://www.openwall.com/lists/oss-security/2021/06/28/3 https://github.com/dovecot/pigeonhole/commit/68505e444f91ebd784d419a8c11f1bc3fda3ceab

References

https://dovecot.org/pipermail/dovecot-news/2021-June/000458.html
https://dovecot.org/pipermail/dovecot-news/2021-June/000460.html
https://www.openwall.com/lists/oss-security/2021/06/28/3
https://github.com/dovecot/pigeonhole/commit/68505e444f91ebd784d419a8c11f1bc3fda3ceab

Notes
Workaround ========== Disabling the regex sieve extension avoids the worst problems. lmtp_user_concurrency_limit may also be helpful.