Errata ALT-PU-2020-1989-1: Information
Fixes
Published: Dec. 13, 2019
Modified: Nov. 7, 2023
Modified: Nov. 7, 2023
CVE-2019-19722
In Dovecot before 2.3.9.2, an attacker can crash a push-notification driver with a crafted email when push notifications are used, because of a NULL Pointer Dereference. The email must use a group address as either the sender or the recipient.
Severity: MEDIUM (5.3) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Links:
Published: May 18, 2020
Modified: Nov. 7, 2023
Modified: Nov. 7, 2023
CVE-2020-10957
In Dovecot before 2.3.10.1, unauthenticated sending of malformed parameters to a NOOP command causes a NULL Pointer Dereference and crash in submission-login, submission, or lmtp.
Severity: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Links:
- https://dovecot.org/security
- https://www.openwall.com/lists/oss-security/2020/05/18/1
- [oss-security] 20200518 Multiple vulnerabilities in Dovecot IMAP server
- 20200519 Multiple vulnerabilities in Dovecot IMAP server
- http://packetstormsecurity.com/files/157771/Open-Xchange-Dovecot-2.3.10-Null-Pointer-Dereference-Denial-Of-Service.html
- DSA-4690
- USN-4361-1
- openSUSE-SU-2020:0720
- FEDORA-2020-1dee17d880
- FEDORA-2020-b60344c987
Published: May 18, 2020
Modified: Nov. 7, 2023
Modified: Nov. 7, 2023
CVE-2020-10958
In Dovecot before 2.3.10.1, a crafted SMTP/LMTP message triggers an unauthenticated use-after-free bug in submission-login, submission, or lmtp, and can lead to a crash under circumstances involving many newlines after a command.
Severity: MEDIUM (5.3) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Links:
- https://dovecot.org/security
- https://www.openwall.com/lists/oss-security/2020/05/18/1
- [oss-security] 20200518 Multiple vulnerabilities in Dovecot IMAP server
- 20200519 Multiple vulnerabilities in Dovecot IMAP server
- http://packetstormsecurity.com/files/157771/Open-Xchange-Dovecot-2.3.10-Null-Pointer-Dereference-Denial-Of-Service.html
- DSA-4690
- USN-4361-1
- openSUSE-SU-2020:0720
- FEDORA-2020-1dee17d880
- FEDORA-2020-b60344c987
Published: May 18, 2020
Modified: Nov. 7, 2023
Modified: Nov. 7, 2023
CVE-2020-10967
In Dovecot before 2.3.10.1, remote unauthenticated attackers can crash the lmtp or submission process by sending mail with an empty localpart.
Severity: MEDIUM (5.3) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Links:
- https://dovecot.org/security
- https://www.openwall.com/lists/oss-security/2020/05/18/1
- [oss-security] 20200518 Multiple vulnerabilities in Dovecot IMAP server
- 20200519 Multiple vulnerabilities in Dovecot IMAP server
- http://packetstormsecurity.com/files/157771/Open-Xchange-Dovecot-2.3.10-Null-Pointer-Dereference-Denial-Of-Service.html
- DSA-4690
- USN-4361-1
- openSUSE-SU-2020:0720
- FEDORA-2020-1dee17d880
- FEDORA-2020-b60344c987
- FEDORA-2020-cd8b8f887b
- FEDORA-2020-b8ebc4201e
- FEDORA-2020-d737c57172