FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

mail/dovecot -- multiple vulnerabilities

Affected packages
dovecot < 2.3.11

Details

VuXML ID 87a07de1-e55e-4d51-bb64-8d117829a26a
Discovery 2020-04-23
Entry 2020-08-13

Aki Tuomi reports:

Parsing mails with a large number of MIME parts could have resulted in excessive CPU usage or a crash due to running out of stack memory..

[source]

Dovecot's NTLM implementation does not correctly check message buffer size, which leads to reading past allocation which can lead to crash

[source]

lmtp/submission: Issuing the RCPT command with an address that has the empty quoted string as local-part causes the lmtp service to crash.

[source]

Dovecot's RPA mechanism implementation accepts zero-length message, which leads to assert-crash later on.

[source]

References

CVE Name CVE-2020-10967
CVE Name CVE-2020-12100
CVE Name CVE-2020-12673
CVE Name CVE-2020-12674
URL https://dovecot.org/pipermail/dovecot-news/2020-August/000440.html

Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright information.