Date: Fri, 2 Dec 2016 09:02:33 +0200 From: Aki Tuomi <aki.tuomi@...ecot.fi> To: oss-security@...ts.openwall.com Subject: Important vulnerability in Dovecot (CVE-2016-8652) Important vulnerability in Dovecot (CVE-2016-8652) CVSS score: 7.4 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H) Affected version(s): 188.8.131.52 up to 184.108.40.206 Fixed in: 220.127.116.11rc1 Short summary: Dovecot auth component can be crashed by remote user when auth-policy component is activated. If auth-policy component has been activated in Dovecot, then remote user can use SASL authentication to crash auth component. Workaround is to disable auth-policy component until fix is in place. This can be done by commenting out all auth_policy_* settings. Aki Tuomi Dovecot oy
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ