Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 1 Mar 2018 08:51:52 +0200 (EET)
From: Aki Tuomi <>
Subject: Dovecot Security Advisory: CVE-2017-14461 rfc822_parse_domain
 Information Leak Vulnerability

Vulnerable versions: 2.0 - 2.2.33, 2.3.0
Fixed versions: 2.2.34,
Score: 7.5, AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

This vulnerability comes in two flavors. A malicious party can send a
specially crafted email to a vulnerable system, causing it to crash
dovecot. In some systems, the mail can be stored into the mail system, 
causing crash every time it is being opened.

If the mail is stored into the mail system, it can be used to also leak
heap memory from IMAP process by requesting bodystructure of the mail.

This bug was separately reported by Cisco TALOS and thru HackerOne
program by 'flxflndy'.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.