dovecot

Link package | bugs open | bugs closed | Wiki | GitHub | web search
Description An IMAP and POP3 server written with security primarily in mind
Version 2.3.9-1 [community]

Resolved

Group Affected Fixed Severity Status Ticket
AVG-1026 2.3.7.1-1 2.3.7.2-1 Critical Fixed
AVG-954 2.3.5.2-1 2.3.6-1 Medium Fixed
AVG-950 2.3.5.1-4 2.3.5.2-1 Medium Fixed
AVG-944 2.3.5-2 2.3.5.1-1 High Fixed
AVG-872 2.3.4-3 2.3.4.1-1 High Fixed
AVG-645 2.3.0-2 2.3.0.1-1 High Fixed
AVG-238 2.2.28-3 2.2.29.1-1 Medium Fixed
AVG-94 0.0-1 2.2.27-1 Medium Fixed
Issue Group Severity Remote Type Description
CVE-2019-11500 AVG-1026 Critical Yes Arbitrary code execution 
IMAP and ManageSieve protocol parsers in Dovecot before 2.3.7.2 and Pigeonhole before 0.5.7.2 do not properly handle NUL byte when scanning data in quoted...
CVE-2019-11499 AVG-954 Medium Yes Denial of service 
Submission-login crashes when authentication is started over TLS secured channel and invalid authentication message is sent. This can lead to...
CVE-2019-11494 AVG-954 Medium Yes Denial of service 
Submission-login crashes with signal 11 due to null pointer access when authentication is aborted by disconnecting. This can lead to denial-of service...
CVE-2019-10691 AVG-950 Medium Yes Denial of service 
JSON encoder in Dovecot 2.3 incorrectly assert-crashes when encountering invalid UTF-8 characters. This can be used to crash dovecot in two ways. Attacker...
CVE-2019-7524 AVG-944 High No Privilege escalation 
A stack-based buffer overflow has been found in Dovecot versions prior to 2.3.5.1. When reading FTS or POP3-UIDL header from dovecot index, the input buffer...
CVE-2019-3814 AVG-872 High Yes Authentication bypass 
A vulnerability has been found in Dovecot versions prior to 2.3.4.1, allowing a remote client in possession of a trusted SSL certificate to log in as any...
CVE-2017-15132 AVG-645 Medium Yes Denial of service 
A flaw was found in dovecot before 2.2.34 and 2.3.0.1. An abort of SASL authentication results in a memory leak in dovecot's auth client used by login...
CVE-2017-15130 AVG-645 Medium Yes Denial of service 
A denial of service flaw was found in dovecot before 2.2.34 and 2.3.0.1. An attacker able to generate random SNI server names could exploit TLS SNI...
CVE-2017-14461 AVG-645 High Yes Information disclosure 
A specially crafted email delivered over SMTP and passed on to Dovecot by MTA can trigger an out of bounds read resulting in potential sensitive information...
CVE-2017-2669 AVG-238 Medium Yes Denial of service 
A security issue has been found in Dovecot >= 2.2.26 and <= 2.2.28. If the "dict" passdb is used for authentication, the username sent by the client is...
CVE-2016-8652 AVG-94 Medium Yes Denial of service 
If the auth-policy component has been activated in Dovecot, then a remote user is able to use SASL authentication to crash the auth component. Workaround is...

Advisories

Date Advisory Group Severity Description
28 Aug 2019 ASA-201908-18 AVG-1026 Critical arbitrary code execution
06 May 2019 ASA-201905-6 AVG-954 Medium denial of service
18 Apr 2019 ASA-201904-9 AVG-950 Medium denial of service
28 Mar 2019 ASA-201903-16 AVG-944 High privilege escalation
06 Feb 2019 ASA-201902-1 AVG-872 High authentication bypass
06 Mar 2018 ASA-201803-7 AVG-645 High multiple issues
01 May 2017 ASA-201705-1 AVG-238 Medium denial of service