Bugzilla – Bug 1132501
VUL-0: CVE-2019-10691: dovecot23,dovecot: Escape invalid UTF-8 as unicode bytes
Last modified: 2019-09-03 12:41:29 UTC
Created attachment 802900 [details] 0001-lib-json-Escape-invalid-UTF-8-as-unicode-bytes.patch 0001-lib-json-Escape-invalid-UTF-8-as-unicode-bytes.patch
is public now: https://dovecot.org/pipermail/dovecot-news/2019-April/000407.html * CVE-2019-10691: Trying to login with 8bit username containing invalid UTF8 input causes auth process to crash if auth policy is enabled. This could be used rather easily to cause a DoS. Similar crash also happens during mail delivery when using invalid UTF8 in From or Subject header when OX push notification driver is used.
This is an autogenerated message for OBS integration: This bug (1132501) was mentioned in https://build.opensuse.org/request/show/695556 Factory / dovecot23 https://build.opensuse.org/request/show/695557 15.1 / dovecot23
SUSE-SU-2019:0997-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1132501 CVE References: CVE-2019-10691 Sources used: SUSE Linux Enterprise Module for Server Applications 15 (src): dovecot23-2.3.3-4.13.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2019:1312-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1132501 CVE References: CVE-2019-10691 Sources used: openSUSE Leap 15.0 (src): dovecot23-2.3.3-lp150.11.1
released