Home page logo

oss-sec logo oss-sec mailing list archives

Re: CVE request: Dovecot DoS in 2.x (fixed in 2.1.11)
From: Moritz Muehlenhoff <jmm () debian org>
Date: Tue, 4 Dec 2012 23:01:42 +0100

On Tue, Dec 04, 2012 at 06:12:29PM +0100, Matthias Weckbecker wrote:
Hi Kurt, Vincent, vendors, ...

Quoting Kurt Seifried <kseifried () redhat com>:
Hash: SHA1

On 12/03/2012 10:33 AM, Vincent Danen wrote:
Could a CVE be assigned for the following please?

Dovecot 2.1.11 was released and includes a fix for a crash
condition when the IMAP server was issued a SEARCH command with
multiple KEYWORD parameters.  An authenticated remote user could
use this flaw to crash Dovecot.



Please use CVE-2012-5620 for this issue.

We were discussing this issue too at [1] and think that it does only
affect the current connection, no subsequent (i.e. new) connections
are affected.

What's your opinion wrt this?

[1] https://bugzilla.novell.com/show_bug.cgi?id=792642

Upstream (Timo Sirainen) disputed the issue in the Debian BTS:


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]