[Dovecot-news] CVE-2019-19722: Critical vulnerability in Dovecot

aki.tuomi at dovecot.fi aki.tuomi at dovecot.fi
Fri Dec 13 16:17:03 EET 2019


> On 13/12/2019 12:44 Aki Tuomi <aki.tuomi at dovecot.fi> wrote:
> 
>  
> Open-Xchange Security Advisory 2019-12-13
>  
> Product: Dovecot IMAP/POP3 Server
> Vendor: OX Software GmbH
>  
> Internal reference: DOV-3719
> Vulnerability type: NULL Pointer Dereference (CWE-476)
> Vulnerable version: 2.3.9
> Vulnerable component: push notification driver
> Report confidence: Confirmed
> Solution status: Fixed by Vendor
> Fixed version: 2.3.9.1
> Researcher credits: Frederik Schwan, Michael Stilkerich
> Vendor notification: 2019-12-10
> Solution date: 2019-12-12
> Public disclosure: 2019-12-13
> CVE reference: CVE-2019-19722
> CVSS: 5.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:F/RL:O/RC:C)
>  
> Vulnerability Details:
> Mail with group address as sender will cause a signal 11 crash in push
> notification drivers. Group address as recipient can cause crash in some
> drivers.
>  
> Risk:
> Repeated delivery attempts are made for the problematic mail, causing
> queueing in MTA.
>  
> Steps to reproduce:
> 1. Configure dovecot with push notifications enabled, such as OX push
> notification driver. This can also be observed with 3rd party plugin XAPS.
> 2. Send mail a group address as sender
>  
> Solution:
> Operators should update to the latest Patch Release.

Turns out the fix was only partial fix, please update to 2.3.9.2 instead of 2.3.9.1. CVE remains the same.

Aki Tuomi
Open-Xchange oy
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 475 bytes
Desc: not available
URL: <https://dovecot.org/pipermail/dovecot-news/attachments/20191213/7851320d/attachment.sig>


More information about the Dovecot-news mailing list