[Dovecot-news] v2.3.10.1 released
Aki Tuomi
aki.tuomi at dovecot.fi
Mon May 18 15:03:06 EEST 2020
We are pleased to release v2.3.10.1 Please find it from locations below:
https://dovecot.org/releases/2.3/dovecot-2.3.10.1.tar.gz
https://dovecot.org/releases/2.3/dovecot-2.3.10.1.tar.gz.sig
Binary packages in https://repo.dovecot.org/
Docker images in https://hub.docker.com/r/dovecot/dovecot
Aki Tuomi
Open-Xchange oy
---
- CVE-2020-10957: lmtp/submission: A client can crash the server by
sending a NOOP command with an invalid string parameter. This occurs
particularly for a parameter that doesn't start with a double quote.
This applies to all SMTP services, including submission-login, which
makes it possible to crash the submission service without
authentication.
- CVE-2020-10958: lmtp/submission: Sending many invalid or unknown
commands can cause the server to access freed memory, which can lead
to a server crash. This happens when the server closes the connection
with a "421 Too many invalid commands" error. The bad command limit
depends on the service (lmtp or submission) and varies between 10 to
20 bad commands.
- CVE-2020-10967: lmtp/submission: Issuing the RCPT command with an
address that has the empty quoted string as local-part causes the
lmtp service to crash.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 475 bytes
Desc: not available
URL: <https://dovecot.org/pipermail/dovecot-news/attachments/20200518/b3dfbf03/attachment.sig>
More information about the Dovecot-news
mailing list