Re: [Dovecot-news] CVE-2019-19722: Critical vulnerability in Dovecot

On 13/12/2019 12:44 Aki Tuomi wrote:

Open-Xchange Security Advisory 2019-12-13   Product: Dovecot IMAP/POP3 Server Vendor: OX Software GmbH   Internal reference: DOV-3719 Vulnerability type: NULL Pointer Dereference (CWE-476) Vulnerable version: 2.3.9 Vulnerable component: push notification driver Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 2.3.9.1 Researcher credits: Frederik Schwan, Michael Stilkerich Vendor notification: 2019-12-10 Solution date: 2019-12-12 Public disclosure: 2019-12-13 CVE reference: CVE-2019-19722 CVSS: 5.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:F/RL:O/RC:C)   Vulnerability Details: Mail with group address as sender will cause a signal 11 crash in push notification drivers. Group address as recipient can cause crash in some drivers.   Risk: Repeated delivery attempts are made for the problematic mail, causing queueing in MTA.   Steps to reproduce: 1. Configure dovecot with push notifications enabled, such as OX push notification driver. This can also be observed with 3rd party plugin XAPS. 2. Send mail a group address as sender   Solution: Operators should update to the latest Patch Release.

Turns out the fix was only partial fix, please update to 2.3.9.2 instead of 2.3.9.1. CVE remains the same. Aki Tuomi Open-Xchange oy