v2.3.5.2 released

Aki Tuomi aki.tuomi at open-xchange.com
Thu Apr 18 15:24:08 EEST 2019


> On 18 April 2019 14:40 Benny Pedersen via dovecot <dovecot at dovecot.org> wrote:
> 
>  
> Aki Tuomi via dovecot skrev den 2019-04-18 11:35:
> 
> >     * CVE-2019-10691: Trying to login with 8bit username containing
> >       invalid UTF8 input causes auth process to crash if auth policy is
> >       enabled. This could be used rather easily to cause a DoS. Similar
> >       crash also happens during mail delivery when using invalid UTF8 
> > in
> >       From or Subject header when OX push notification driver is used.
> 
> can this aswell crash dovecot policy service so check policy service on 
> postfix tempfails ?

I am not sure what "dovecot policy service" you mean

This bug only affects push notifications and auth policy (e.g. weakforced) connector, as they send out JSON. The crash isn't related to UTF-8 input handling as per such.

Aki


More information about the dovecot mailing list