Date: Thu, 1 Mar 2018 08:51:52 +0200 (EET) From: Aki Tuomi <aki.tuomi@...n-xchange.com> To: oss-security@...ts.openwall.com Subject: Dovecot Security Advisory: CVE-2017-14461 rfc822_parse_domain Information Leak Vulnerability Vulnerable versions: 2.0 - 2.2.33, 2.3.0 Fixed versions: 2.2.34, 18.104.22.168 Score: 7.5, AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H This vulnerability comes in two flavors. A malicious party can send a specially crafted email to a vulnerable system, causing it to crash dovecot. In some systems, the mail can be stored into the mail system, causing crash every time it is being opened. If the mail is stored into the mail system, it can be used to also leak heap memory from IMAP process by requesting bodystructure of the mail. This bug was separately reported by Cisco TALOS and thru HackerOne program by 'flxflndy'.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ