Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 1 Mar 2018 08:51:52 +0200 (EET)
From: Aki Tuomi <aki.tuomi@...n-xchange.com>
To: oss-security@...ts.openwall.com
Subject: Dovecot Security Advisory: CVE-2017-14461 rfc822_parse_domain
 Information Leak Vulnerability

Vulnerable versions: 2.0 - 2.2.33, 2.3.0
Fixed versions: 2.2.34, 2.3.0.1
Score: 7.5, AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

This vulnerability comes in two flavors. A malicious party can send a
specially crafted email to a vulnerable system, causing it to crash
dovecot. In some systems, the mail can be stored into the mail system, 
causing crash every time it is being opened.

If the mail is stored into the mail system, it can be used to also leak
heap memory from IMAP process by requesting bodystructure of the mail.

This bug was separately reported by Cisco TALOS and thru HackerOne
program by 'flxflndy'.

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ