oss-security - CVE request: Dovecot DoS in 2.x (fixed in 2.1.11)

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [thread-next>] [day] [month] [year] [list]

Message-ID: <20121203173341.GS2689@redhat.com>
Date: Mon, 3 Dec 2012 10:33:41 -0700
From: Vincent Danen <vdanen@...hat.com>
To: oss-security@...ts.openwall.com
Subject: CVE request: Dovecot DoS in 2.x (fixed in 2.1.11)

Could a CVE be assigned for the following please?

Dovecot 2.1.11 was released and includes a fix for a crash condition
when the IMAP server was issued a SEARCH command with multiple KEYWORD
parameters.  An authenticated remote user could use this flaw to crash
Dovecot.

The upstream fix was to remove the keyword merging code.  This code
does not exist in Dovecot 1.x, but it does affect 2.x versions, at least
as far back as 2.0.9 (earliest version I checked).

References:

http://www.dovecot.org/list/dovecot-news/2012-November/000235.html
http://secunia.com/advisories/51455
http://hg.dovecot.org/dovecot-2.1/rev/0306792cc843
https://bugzilla.redhat.com/show_bug.cgi?id=883060

Thanks.

-- 
Vincent Danen / Red Hat Security Response Team

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.