Date: Wed, 12 Aug 2020 16:07:36 +0300 From: Aki Tuomi <aki.tuomi@...ecot.fi> To: oss-security <oss-security@...ts.openwall.com>, full-disclosure <full-disclosure@...ts.openwall.com> Subject: CVE-2020-12100: Dovecot IMAP server: Receiving mail with deeply nested MIME parts leads to resource exhaustion Open-Xchange Security Advisory 2020-08-12 Affected product: Dovecot IMAP server Internal reference: DOP-1849 (Bug ID) Vulnerability type: Uncontrolled recursion (CWE-674) Vulnerable version: 2.0 Vulnerable component: submission, lmtp, lda Fixed version: 18.104.22.168 Report confidence: Confirmed Solution status: Fix available Vendor notification: 2020-04-23 CVE reference: CVE-2020-12100 CVSS: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) Vulnerability Details: Receiving mail with deeply nested MIME parts leads to resource exhaustion as Dovecot attempts to parse it. Risk: Malicious actor can cause denial of service to mail delivery by repeatedly sending mails with bad content. Workaround: Limit MIME structures in MTA. Solution: Upgrade to fixed version. Best regards, Aki Tuomi Open-Xchange oy Download attachment "signature.asc" of type "application/pgp-signature" (489 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.