dovecot

Link package | bugs open | bugs closed | Wiki | GitHub | web search
Description An IMAP and POP3 server written with security primarily in mind
Version 2.3.7-1 [community]

Resolved

Group Affected Fixed Severity Status Ticket
AVG-954 2.3.5.2-1 2.3.6-1 Medium Fixed
AVG-950 2.3.5.1-4 2.3.5.2-1 Medium Fixed
AVG-944 2.3.5-2 2.3.5.1-1 High Fixed
AVG-872 2.3.4-3 2.3.4.1-1 High Fixed
AVG-645 2.3.0-2 2.3.0.1-1 High Fixed
AVG-238 2.2.28-3 2.2.29.1-1 Medium Fixed
AVG-94 0.0-1 2.2.27-1 Medium Fixed
Issue Group Severity Remote Type Description
CVE-2019-11499 AVG-954 Medium Yes Denial of service 
Submission-login crashes when authentication is started over TLS secured channel and invalid authentication message is sent. This can lead to...
CVE-2019-11494 AVG-954 Medium Yes Denial of service 
Submission-login crashes with signal 11 due to null pointer access when authentication is aborted by disconnecting. This can lead to denial-of service...
CVE-2019-10691 AVG-950 Medium Yes Denial of service 
JSON encoder in Dovecot 2.3 incorrectly assert-crashes when encountering invalid UTF-8 characters. This can be used to crash dovecot in two ways. Attacker...
CVE-2019-7524 AVG-944 High No Privilege escalation 
A stack-based buffer overflow has been found in Dovecot versions prior to 2.3.5.1. When reading FTS or POP3-UIDL header from dovecot index, the input buffer...
CVE-2019-3814 AVG-872 High Yes Authentication bypass 
A vulnerability has been found in Dovecot versions prior to 2.3.4.1, allowing a remote client in possession of a trusted SSL certificate to log in as any...
CVE-2017-15132 AVG-645 Medium Yes Denial of service 
A flaw was found in dovecot before 2.2.34 and 2.3.0.1. An abort of SASL authentication results in a memory leak in dovecot's auth client used by login...
CVE-2017-15130 AVG-645 Medium Yes Denial of service 
A denial of service flaw was found in dovecot before 2.2.34 and 2.3.0.1. An attacker able to generate random SNI server names could exploit TLS SNI...
CVE-2017-14461 AVG-645 High Yes Information disclosure 
A specially crafted email delivered over SMTP and passed on to Dovecot by MTA can trigger an out of bounds read resulting in potential sensitive information...
CVE-2017-2669 AVG-238 Medium Yes Denial of service 
A security issue has been found in Dovecot >= 2.2.26 and <= 2.2.28. If the "dict" passdb is used for authentication, the username sent by the client is...
CVE-2016-8652 AVG-94 Medium Yes Denial of service 
If the auth-policy component has been activated in Dovecot, then a remote user is able to use SASL authentication to crash the auth component. Workaround is...

Advisories

Date Advisory Group Severity Description
06 May 2019 ASA-201905-6 AVG-954 Medium denial of service
18 Apr 2019 ASA-201904-9 AVG-950 Medium denial of service
28 Mar 2019 ASA-201903-16 AVG-944 High privilege escalation
06 Feb 2019 ASA-201902-1 AVG-872 High authentication bypass
06 Mar 2018 ASA-201803-7 AVG-645 High multiple issues
01 May 2017 ASA-201705-1 AVG-238 Medium denial of service