Dovecot-news March 2019

dovecot-news@dovecot.org

1 participants
5 discussions

v2.2.36.3 released
by Aki Tuomi 28 Mar '19

28 Mar '19

https://dovecot.org/releases/2.3/dovecot-2.2.36.3.tar.gz https://dovecot.org/releases/2.3/dovecot-2.2.36.3.tar.gz.sig * CVE-2019-7524: Missing input buffer size validation leads into arbitrary buffer overflow when reading fts or pop3 uidl header from Dovecot index. Exploiting this requires direct write access to the index files. --- Aki Tuomi Open-Xchange oy

1 1

CVE-2019-7524: Buffer overflow when reading extension header from dovecot index files
by Aki Tuomi 28 Mar '19

28 Mar '19

Product: Dovecot Vendor: OX Software GmbH Internal reference: DOV-2964 (Bug ID) Vulnerability type: CWE-120 Vulnerable version: 2.0.14 - 2.3.5 Vulnerable component: fts, pop3-uidl-plugin Report confidence: Confirmed Researcher credits: Found in internal testing Solution status: Fixed by Vendor Fixed version: 2.3.5.1, 2.2.36.3 Vendor notification: 2019-02-05 Solution date: 2019-03-21 Public disclosure: 2019-03-28 CVE reference: CVE-2019-7524 CVSS: 3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C (8.8) Vulnerability Details: When reading FTS or POP3-UIDL header from dovecot index, the input buffer size is not bound, and data is copied to target structure causing stack overflow. Risk: This can be used for local root privilege escalation or executing arbitrary code in dovecot process context. This requires ability to directly modify dovecot indexes. Steps to reproduce: Produce dovecot.index.log entry that creates an FTS header which has more than 12 bytes of data. Trigger dovecot indexer-worker or run doveadm index. Dovecot will crash. Mitigations: Since 2.3.0 dovecot has been compiled with stack smash protection, ASLR, read-only GOT tables and other techniques that make exploiting this bug much harder. Solution: Operators should update to the latest Patch Release. The only workaround is to disable FTS and pop3-uidl plugin. -- Aki Tuomi Open-Xchange Oy

1 0

v2.3.5.1 released
by Aki Tuomi 28 Mar '19

28 Mar '19

https://dovecot.org/releases/2.3/dovecot-2.3.5.1.tar.gz https://dovecot.org/releases/2.3/dovecot-2.3.5.1.tar.gz.sig Binary packages in https://repo.dovecot.org/ * CVE-2019-7524: Missing input buffer size validation leads into arbitrary buffer overflow when reading fts or pop3 uidl header from Dovecot index. Exploiting this requires direct write access to the index files. --- Aki Tuomi Open-Xchange oy

1 0

Pigeonhole v0.5.5 released
by Aki Tuomi 05 Mar '19

05 Mar '19

Hi! We are happy to release pigeonhole v0.5.5 for dovecot v2.3.5. Please find sources at https://pigeonhole.dovecot.org/releases/2.3/dovecot-2.3-pigeonhole-0.5.5.ta… https://pigeonhole.dovecot.org/releases/2.3/dovecot-2.3-pigeonhole-0.5.5.ta… (Please note that the signing key has been changed for 0.5.5, see https://pigeonhole.dovecot.org/download.html for details.) You can find precompiled binaries at https://repo.dovecot.org/ NEWS: + IMAPSieve: Add new plugin/imapsieve_expunge_discarded setting which causes messages discarded by an IMAPSieve script to be expunged immediately, rather than only being marked as "\Deleted" (which is still the default behavior). - IMAPSieve: Fix panic crash occurring when a COPY command copies messages from a virtual mailbox where the source messages originate from more than a single real mailbox. - imap4flags extension: Fix deleting all keywords. When the action resulted in all keywords being removed, no changes were actually applied. - variables extension: Fix truncation of UTF-8 variable content. The maximum size of Sieve variables was enforced by truncating the variable string content bluntly at the limit, but this does not consider UTF-8 code point boundaries. This resulted in broken UTF-8 strings. This problem also surfaced for variable modifiers, such as the ":encodeurl" modifier provided by the Sieve "enotify" extension. In that case, the resulting URI escaping could also be truncated inappropriately. - IMAPSieve, IMAP FILTER=SIEVE: Fix replacing a modified message. Sieve scripts running in IMAPSIEVE or IMAP FILTER=SIEVE context that modify the message, stored the message a second time, rather than replacing the originally stored unmodified message. - Fix segmentation fault occurring when both the sieve_extprograms plugin (for the Sieve interpreter) and the imap_filter_sieve plugin (for IMAP) are loaded at the same time. A symbol was defined by both plugins, causing a clash when both were loaded. --- Aki Tuomi Open-Xchange Oy

1 0

Dovecot v2.3.5 released
by Aki Tuomi 05 Mar '19

05 Mar '19

Hi! We are happy to release dovecot v2.3.5. Please find sources at https://dovecot.org/releases/2.3/dovecot-2.3.5.tar.gz https://dovecot.org/releases/2.3/dovecot-2.3.5.tar.gz.sig You can find precompiled binaries at https://repo.dovecot.org/ NEWS: + Lua push notification driver: mail keywords and flags are provided in MessageNew and MessageAppend events. + submission: Implement support for plugins. + auth: When auth_policy_log_only=yes, only log what the policy server response would do without actually doing it. + auth: Always log policy server decisions with auth_verbose=yes - v2.3.[34]: doveadm log errors: Output was missing user/session - lda: Debug log lines could have shown slightly corrupted - login proxy: Login processes may have crashed in various ways when login_proxy_max_disconnect_delay was set. - imap: Fix crash with Maildir+zlib if client disconnects during APPEND - lmtp proxy: Fix potential assert-crash - lmtp/submission: Fix crash when SMTP client transaction times out - submission: Split large XCLIENT commands to 512 bytes per command, so Postfix accepts them. - submission: Fix crash when client sends invalid BURL command - submission: relay backend: VRFY command: Avoid forwarding 500 and 502 replies back to client. - lib-http: Fix potential assert-crash when DNS lookup fails - lib-fts: Fix search query generation when one language ignores a token (e.g. via stopwords). --- Aki Tuomi Open-Xchange Oy

1 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

Dovecot-news March 2019