Bug 1132501 (CVE-2019-10691) - VUL-0: CVE-2019-10691: dovecot23,dovecot: Escape invalid UTF-8 as unicode bytes
Summary: VUL-0: CVE-2019-10691: dovecot23,dovecot: Escape invalid UTF-8 as unicode bytes
Status: RESOLVED FIXED
Alias: CVE-2019-10691
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Peter Varkoly
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/229621/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-04-15 09:24 UTC by Marcus Meissner
Modified: 2019-09-03 12:41 UTC (History)
0 users

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
0001-lib-json-Escape-invalid-UTF-8-as-unicode-bytes.patch (2.45 KB, patch)
2019-04-15 09:24 UTC, Marcus Meissner
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Marcus Meissner 2019-04-15 09:24:48 UTC
Created attachment 802900 [details]
0001-lib-json-Escape-invalid-UTF-8-as-unicode-bytes.patch

0001-lib-json-Escape-invalid-UTF-8-as-unicode-bytes.patch
Comment 4 Marcus Meissner 2019-04-18 11:40:58 UTC
is public now:

https://dovecot.org/pipermail/dovecot-news/2019-April/000407.html

    * CVE-2019-10691: Trying to login with 8bit username containing
      invalid UTF8 input causes auth process to crash if auth policy is
      enabled. This could be used rather easily to cause a DoS. Similar
      crash also happens during mail delivery when using invalid UTF8 in
      From or Subject header when OX push notification driver is used.
Comment 5 Swamp Workflow Management 2019-04-18 12:30:28 UTC
This is an autogenerated message for OBS integration:
This bug (1132501) was mentioned in
https://build.opensuse.org/request/show/695556 Factory / dovecot23
https://build.opensuse.org/request/show/695557 15.1 / dovecot23
Comment 6 Swamp Workflow Management 2019-04-23 22:10:01 UTC
SUSE-SU-2019:0997-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1132501
CVE References: CVE-2019-10691
Sources used:
SUSE Linux Enterprise Module for Server Applications 15 (src):    dovecot23-2.3.3-4.13.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 7 Swamp Workflow Management 2019-05-02 19:09:03 UTC
openSUSE-SU-2019:1312-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1132501
CVE References: CVE-2019-10691
Sources used:
openSUSE Leap 15.0 (src):    dovecot23-2.3.3-lp150.11.1
Comment 8 Marcus Meissner 2019-09-03 12:41:29 UTC
released