Lets try again, put wrong changelog to the mail. Sorry about this.
https://dovecot.org/releases/2.3/dovecot-2.3.5.2.tar.gz https://dovecot.org/releases/2.3/dovecot-2.3.5.2.tar.gz.sig Binary packages in https://repo.dovecot.org/
* CVE-2019-10691: Trying to login with 8bit username containing invalid UTF8 input causes auth process to crash if auth policy is enabled. This could be used rather easily to cause a DoS. Similar crash also happens during mail delivery when using invalid UTF8 in From or Subject header when OX push notification driver is used.
Aki Tuomi Open-Xchange oy
Aki Tuomi via dovecot skrev den 2019-04-18 11:35:
* CVE-2019-10691: Trying to login with 8bit username containing invalid UTF8 input causes auth process to crash if auth policy is enabled. This could be used rather easily to cause a DoS. Similar crash also happens during mail delivery when using invalid UTF8 in From or Subject header when OX push notification driver is used.
can this aswell crash dovecot policy service so check policy service on postfix tempfails ?
On 18 April 2019 14:40 Benny Pedersen via dovecot <dovecot@dovecot.org> wrote:
Aki Tuomi via dovecot skrev den 2019-04-18 11:35:
* CVE-2019-10691: Trying to login with 8bit username containing invalid UTF8 input causes auth process to crash if auth policy is enabled. This could be used rather easily to cause a DoS. Similar crash also happens during mail delivery when using invalid UTF8 in From or Subject header when OX push notification driver is used.
can this aswell crash dovecot policy service so check policy service on postfix tempfails ?
I am not sure what "dovecot policy service" you mean
This bug only affects push notifications and auth policy (e.g. weakforced) connector, as they send out JSON. The crash isn't related to UTF-8 input handling as per such.
Aki
participants (2)
-
Aki Tuomi
-
Benny Pedersen