Home page logo
/

oss-sec logo oss-sec mailing list archives

CVE request: Dovecot DoS in 2.x (fixed in 2.1.11)
From: Vincent Danen <vdanen () redhat com>
Date: Mon, 3 Dec 2012 10:33:41 -0700

Could a CVE be assigned for the following please?

Dovecot 2.1.11 was released and includes a fix for a crash condition
when the IMAP server was issued a SEARCH command with multiple KEYWORD
parameters.  An authenticated remote user could use this flaw to crash
Dovecot.

The upstream fix was to remove the keyword merging code.  This code
does not exist in Dovecot 1.x, but it does affect 2.x versions, at least
as far back as 2.0.9 (earliest version I checked).

References:

http://www.dovecot.org/list/dovecot-news/2012-November/000235.html
http://secunia.com/advisories/51455
http://hg.dovecot.org/dovecot-2.1/rev/0306792cc843
https://bugzilla.redhat.com/show_bug.cgi?id=883060


Thanks.

--
Vincent Danen / Red Hat Security Response Team

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]