[Dovecot-news] v220.127.116.11 released
aki.tuomi at dovecot.fi
Mon May 18 15:03:06 EEST 2020
We are pleased to release v18.104.22.168 Please find it from locations below:
Binary packages in https://repo.dovecot.org/
Docker images in https://hub.docker.com/r/dovecot/dovecot
- CVE-2020-10957: lmtp/submission: A client can crash the server by
sending a NOOP command with an invalid string parameter. This occurs
particularly for a parameter that doesn't start with a double quote.
This applies to all SMTP services, including submission-login, which
makes it possible to crash the submission service without
- CVE-2020-10958: lmtp/submission: Sending many invalid or unknown
commands can cause the server to access freed memory, which can lead
to a server crash. This happens when the server closes the connection
with a "421 Too many invalid commands" error. The bad command limit
depends on the service (lmtp or submission) and varies between 10 to
20 bad commands.
- CVE-2020-10967: lmtp/submission: Issuing the RCPT command with an
address that has the empty quoted string as local-part causes the
lmtp service to crash.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 475 bytes
Desc: not available
More information about the Dovecot-news