Open-Xchange Security Advisory 2020-02-12
Affected product: Dovecot Core Internal reference: DOV-3743 (JIRA ID) Vulnerability type: Improper Input Validation (CWE-30) Vulnerable version: 2.3.9 Vulnerable component: lmtp, imap Fixed version: 2.3.9.3 Report confidence: Confirmed Solution status: Fixed Researcher credits: Open-Xchange oy Vendor notification: 2020-01-14 CVE reference: CVE-2020-7957 CVSS: 3.1 (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L)
Vulnerability Details:
Snippet generation crashes if:
message is large enough that message-parser returns multiple body blocks The first block(s) don't contain the full snippet (e.g. full of whitespace) input ends with '>'
Risk:
Sending specially crafted email can cause mailbox to have permanently unaccessible mail, or the mail can be stuck in delivery.
Solution:
Upgrade to 2.3.9.3