CVE-2019-19722: Critical vulnerability in Dovecot

Aki Tuomi aki.tuomi at dovecot.fi
Fri Dec 13 12:44:31 EET 2019


Open-Xchange Security Advisory 2019-12-13
 
Product: Dovecot IMAP/POP3 Server
Vendor: OX Software GmbH
 
Internal reference: DOV-3719
Vulnerability type: NULL Pointer Dereference (CWE-476)
Vulnerable version: 2.3.9
Vulnerable component: push notification driver
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 2.3.9.1
Researcher credits: Frederik Schwan, Michael Stilkerich
Vendor notification: 2019-12-10
Solution date: 2019-12-12
Public disclosure: 2019-12-13
CVE reference: CVE-2019-19722
CVSS: 5.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:F/RL:O/RC:C)
 
Vulnerability Details:
Mail with group address as sender will cause a signal 11 crash in push
notification drivers. Group address as recipient can cause crash in some
drivers.
 
Risk:
Repeated delivery attempts are made for the problematic mail, causing
queueing in MTA.
 
Steps to reproduce:
1. Configure dovecot with push notifications enabled, such as OX push
notification driver. This can also be observed with 3rd party plugin XAPS.
2. Send mail a group address as sender
 
Solution:
Operators should update to the latest Patch Release.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <https://dovecot.org/pipermail/dovecot/attachments/20191213/eb341a83/attachment.sig>


More information about the dovecot mailing list