From aki.tuomi at open-xchange.com Thu Apr 18 12:05:43 2019 From: aki.tuomi at open-xchange.com (Aki Tuomi) Date: Thu, 18 Apr 2019 12:05:43 +0300 Subject: [Dovecot-news] v2.3.5.2 released Message-ID: https://dovecot.org/releases/2.3/dovecot-2.3.5.2.tar.gz https://dovecot.org/releases/2.3/dovecot-2.3.5.2.tar.gz.sig Binary packages in https://repo.dovecot.org/ * CVE-2019-7524: Missing input buffer size validation leads into arbitrary buffer overflow when reading fts or pop3 uidl header from Dovecot index. Exploiting this requires direct write access to the index files. --- Aki Tuomi Open-Xchange oy -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 488 bytes Desc: OpenPGP digital signature URL: From aki.tuomi at open-xchange.com Thu Apr 18 12:06:06 2019 From: aki.tuomi at open-xchange.com (Aki Tuomi) Date: Thu, 18 Apr 2019 12:06:06 +0300 Subject: [Dovecot-news] CVE-2019-10691: JSON encoder in Dovecot 2.3 incorrecty assert-crashes when encountering invalid UTF-8 characters. Message-ID: <4462d8a6-37c2-9125-924e-68e5e792adb4@open-xchange.com> Dear subscribers, we're sharing our latest advisory with you and would like to thank everyone who contributed in finding and solving those vulnerabilities. Feel free to join our bug bounty programs (open-xchange, dovecot, powerdns) at HackerOne. You can find binary packages at https://repo.dovecot.org/ Yours sincerely, Aki Tuomi Open-Xchange Oy Open-Xchange Security Advisory 2019-04-18 Product: Dovecot Vendor: OX Software GmbH Internal reference: DOV-3173 (Bug ID) Vulnerability type: CWE-176 Vulnerable version: 2.3.0 - 2.3.5.1 Vulnerable component: json encoder Report confidence: Confirmed Researcher credits: cPanel L.L.C. Solution status: Fixed by Vendor Fixed version: 2.3.5.2 Vendor notification: 2019-04-02 Solution date: 2019-04-11 Public disclosure: 2019-04-18 CVE reference: CVE-2019-10691 CVSS: 7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) ? Vulnerability Details: JSON encoder in Dovecot 2.3 incorrecty assert-crashes when encountering invalid UTF-8 characters. This can be used to crash dovecot in two ways. Attacker can repeatedly crash Dovecot authentication process by logging in using invalid UTF-8 sequence in username. This requires that auth policy is enabled. Crash can also occur if OX push notification driver is enabled and an email is delivered with invalid UTF-8 sequence in From or Subject header. In 2.2, malformed UTF-8 sequences are forwarded "as-is", and thus do not cause problems in Dovecot itself. Target systems should be checked for possible problems in dealing with such sequences. See https://wiki.dovecot.org/Authentication/Policy for details on auth policy support. Risk: Determined attacker can prevent authentication process from staying up by keeping on attempting to log in with username containing invalid UTF-8 sequence. Steps to reproduce: Configure dovecot with auth_policy_server_url and auth_policy_hash_nonce set. Attempt to log in with username containing an invalid UTF-8 sequence Observe assert-crash in dovecot logs. Solution: Operators should update to the latest Patch Release or disable auth policy support. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 488 bytes Desc: OpenPGP digital signature URL: From aki.tuomi at open-xchange.com Thu Apr 18 12:35:53 2019 From: aki.tuomi at open-xchange.com (Aki Tuomi) Date: Thu, 18 Apr 2019 12:35:53 +0300 Subject: [Dovecot-news] v2.3.5.2 released Message-ID: <09952f6f-fcb3-f53b-850d-793602b7551a@open-xchange.com> Lets try again, put wrong changelog to the mail. Sorry about this. https://dovecot.org/releases/2.3/dovecot-2.3.5.2.tar.gz https://dovecot.org/releases/2.3/dovecot-2.3.5.2.tar.gz.sig Binary packages in https://repo.dovecot.org/ ??? * CVE-2019-10691: Trying to login with 8bit username containing ??? ? invalid UTF8 input causes auth process to crash if auth policy is ??? ? enabled. This could be used rather easily to cause a DoS. Similar ??? ? crash also happens during mail delivery when using invalid UTF8 in ??? ? From or Subject header when OX push notification driver is used. --- Aki Tuomi Open-Xchange oy -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 488 bytes Desc: OpenPGP digital signature URL: From aki.tuomi at open-xchange.com Tue Apr 30 16:21:01 2019 From: aki.tuomi at open-xchange.com (Aki Tuomi) Date: Tue, 30 Apr 2019 16:21:01 +0300 (EEST) Subject: [Dovecot-news] Dovecot release v2.3.6 Message-ID: <1106733159.203.1556630461218@appsuite-dev-guard.open-xchange.com> Hi! We are pleased to release Dovecot v2.3.6. Tarball is available at https://dovecot.org/releases/2.3/dovecot-2.3.6.tar.gz https://dovecot.org/releases/2.3/dovecot-2.3.6.tar.gz.sig Binary packages are available at https://repo.dovecot.org/ Changes ------- * CVE-2019-11494: Submission-login crashed with signal 11 due to null pointer access when authentication was aborted by disconnecting. * CVE-2019-11499: Submission-login crashed when authentication was started over TLS secured channel and invalid authentication message was sent. * auth: Support password grant with passdb oauth2. + Use system default CAs for outbound TLS connections. + Simplify array handling with new helper macros. + fts_solr: Enable configuring batch_size and soft_commit features. - lmtp/submission: Fixed various bugs in XCLIENT handling, including a hang when XCLIENT commands were sent infinitely to the remote server. - lmtp/submission: Forwarded multi-line replies were erroneously sent as two replies to the client. - lib-smtp: client: Message was not guaranteed to contain CRLF consistently when CHUNKING was used. - fts_solr: Plugin was no longer compatible with Solr 7. - Make it possible to disable certificate checking without setting ssl_client_ca_* settings. - pop3c: SSL support was broken. - mysql: Closing connection twice lead to crash on some systems. - auth: Multiple oauth2 passdbs crashed auth process on deinit. - HTTP client connection errors infrequently triggered a segmentation fault when the connection was idle and not used for a particular client instance. --- Aki Tuomi Open-Xchange oy -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 475 bytes Desc: not available URL: From aki.tuomi at open-xchange.com Tue Apr 30 16:25:06 2019 From: aki.tuomi at open-xchange.com (Aki Tuomi) Date: Tue, 30 Apr 2019 16:25:06 +0300 (EEST) Subject: [Dovecot-news] CVE-2019-11494: Submission-login crashes with signal 11 due to null pointer access when authentication is aborted by disconnecting. Message-ID: <1810143687.205.1556630706520@appsuite-dev-guard.open-xchange.com> Open-Xchange Security Advisory 2019-04-30 Product: Dovecot Vendor: OX Software GmbH Internal reference: DOV-3212 (Bug ID) Vulnerability type: CWE-476 Vulnerable version: 2.3.0 - 2.3.5.2 Vulnerable component: submission-login Report confidence: Confirmed Researcher credits: Marcelo Coelho Solution status: Fixed by Vendor Fixed version: 2.3.6 Vendor notificatio: 2019-03-11 Solution date: 2019-04-23 Public disclosure: 2019-04-30 CVE reference: CVE-2019-11494 CVSS: 7.5 (CVSS3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) Vulnerability Details: Submission-login crashes with signal 11 due to null pointer access when authentication is aborted by disconnecting. This can lead to denial-of-service attack by persistent attacker(s). Workaround: There is no available workaround for this issue. Solution: Operators should upgrade to a fixed version. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 475 bytes Desc: not available URL: From aki.tuomi at open-xchange.com Tue Apr 30 16:26:54 2019 From: aki.tuomi at open-xchange.com (Aki Tuomi) Date: Tue, 30 Apr 2019 16:26:54 +0300 (EEST) Subject: [Dovecot-news] CVE-2019-11499: Submission-login crashes when authentication is started over TLS secured channel and invalid authentication message is sent Message-ID: <1925516563.207.1556630814192@appsuite-dev-guard.open-xchange.com> Open-Xchange Security Advisory 2019-04-30 Product: Dovecot Vendor: OX Software GmbH Internal reference: DOV-3223 (Bug ID) Vulnerability type: CWE-617 Vulnerable version: 2.3.0 - 2.3.5.2 Vulnerable component: submission-login Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 2.3.6 Vendor notification: 2019-03-11 Solution date: 2019-04-23 Public disclosure: 2019-04-30 CVE reference: CVE-2019-11499 CVSS: 7.5 (CVSS3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) Vulnerability Details: Submission-login crashes when authentication is started over TLS secured channel and invalid authentication message is sent. This can lead to denial-of-service attack by persistent attacker(s). Workaround: Authentication crash can be avoided if authentication is done without TLS. Solution: Operators should upgrade to a fixed version. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 475 bytes Desc: not available URL: From aki.tuomi at open-xchange.com Tue Apr 30 16:46:21 2019 From: aki.tuomi at open-xchange.com (Aki Tuomi) Date: Tue, 30 Apr 2019 16:46:21 +0300 (EEST) Subject: [Dovecot-news] Pigeonhole release 0.5.6 Message-ID: <722221349.217.1556631981365@appsuite-dev-guard.open-xchange.com> Hi! We are pleased to release Pigeonhole 0.5.6 for Dovecot 2.3.6. Tarball https://pigeonhole.dovecot.org/releases/2.3/dovecot-2.3-pigeonhole-0.5.6.tar.gz https://pigeonhole.dovecot.org/releases/2.3/dovecot-2.3-pigeonhole-0.5.6.tar.gz.sig Binary packages can be found from https://repo.dovecot.org/ Changes + sieve: Redirect loop prevention is sometimes ineffective. Improve existing loop detection by also recognizing the X-Sieve-Redirected-From header in incoming messages and dropping redirect actions when it points to the sending account. This header is already added by the redirect action, so this improvement only adds an additional use of this header. - sieve: Prevent execution of implicit keep upon temporary failure occurring at runtime. --- Aki Tuomi Open-Xchange oy -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 475 bytes Desc: not available URL: