CVE-2020-7046
lib-smtp doesn't handle truncated command parameters properly, resulting
in infinite loop taking 100% CPU for the process. This happens for LMTP
(where it doesn't matter so much) and also for submission-login where
unauthenticated users can trigger it.
CVE-2020-7957
Snippet generation crashes if:
- message is large enough that message-parser returns multiple body blocks
- The first block(s) don't contain the full snippet (e.g. full of whitespace)
- input ends with '>'
Sending specially crafted email can cause mailbox to have permanently
unaccessible mail, or the mail can be stuck in delivery.
- CVE-2019-11494: Submission-login crashed with signal 11 due to null
pointer access when authentication was aborted by disconnecting.
- CVE-2019-11499: Submission-login crashed when authentication was
started over TLS secured channel and invalid authentication message was
sent.
Remove mention about full-text search since the internal FTS indexer
was removed and it's out-of-process now. Requested by sthen@
No feedback from maintainer.
CVE-2019-10691: Trying to login with 8bit username containing invalid
UTF8 input causes auth process to crash if auth policy is enabled. This
could be used rather easily to cause a DoS. Similar crash also happens
during mail delivery when using invalid UTF8 in From or Subject header
when OX push notification driver is used.
ok brad (maintainer)
* CVE-2019-3814: If imap/pop3/managesieve/submission client has trusted
certificate with missing username field (ssl_cert_username_field), under
some configurations Dovecot mistakenly trusts the username provided via
authentication instead of failing.
* ssl_cert_username_field setting was ignored with external SMTP
AUTH, because none of the MTAs (Postfix, Exim) currently send the
cert_username field. This may have allowed users with trusted
certificate to specify any username in the authentication. This bug
didn't affect Dovecot's Submission service.
convert ssl_protocols strings to min/max values. Patch to neuter the autoconf
check because this code doesn't work correctly (in particular it doesn't
handle strings with !SSLv2) and fallback to the old working code instead.
No reply to https://www.dovecot.org/pipermail/dovecot/2018-March/111260.html
but the code is different in Dovecot master/2.3 (it looks like they did it
this way in 2.2 so they could use the 1.1-api functions without config
changes, but it backfired).
ok Brad
protocol string to avoid using !SSLv2 which is not supported. ok juanfra@ Brad
* CVE-2017-15130: TLS SNI config lookups may lead to excessive memory usage,
causing imap-login/pop3-login VSZ limit to be reached and the process
restarted. This happens only if Dovecot config has local_name { } or local
{ } configuration blocks and attacker uses randomly generated SNI servernames.
* CVE-2017-14461: Parsing invalid email addresses may cause a crash or leak
memory contents to attacker. For example, these memory contents might contain
parts of an email from another user if the same imap process is reused for
multiple users.
* CVE-2017-15132: Aborted SASL authentication leaks memory in login process.
- doveadm: Fix crash in proxying (or dsync replication) if remote is
running older than v2.2.33
- auth: Fix memory leak in %{ldap_dn}
- dict-sql: Fix data types to work correctly with Cassandra
* passdb/userdb dict: Don't double-expand %variables in keys. If dict
was used as the authentication passdb, using specially crafted
%variables in the username could be used to cause DoS (CVE-2017-2669)
CVE-2016-8652 (the version in 6.0 isn't affected): "If auth-policy
component has been activated in Dovecot, then remote user can use
SASL authentication to crash auth component. Workaround is to disable
auth-policy component until fix is in place."
