> On 13/12/2019 12:44 Aki Tuomi <aki.tu...@dovecot.fi> wrote: > > > Open-Xchange Security Advisory 2019-12-13 > > Product: Dovecot IMAP/POP3 Server > Vendor: OX Software GmbH > > Internal reference: DOV-3719 > Vulnerability type: NULL Pointer Dereference (CWE-476) > Vulnerable version: 2.3.9 > Vulnerable component: push notification driver > Report confidence: Confirmed > Solution status: Fixed by Vendor > Fixed version: 2.3.9.1 > Researcher credits: Frederik Schwan, Michael Stilkerich > Vendor notification: 2019-12-10 > Solution date: 2019-12-12 > Public disclosure: 2019-12-13 > CVE reference: CVE-2019-19722 > CVSS: 5.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:F/RL:O/RC:C) > > Vulnerability Details: > Mail with group address as sender will cause a signal 11 crash in push > notification drivers. Group address as recipient can cause crash in some > drivers. > > Risk: > Repeated delivery attempts are made for the problematic mail, causing > queueing in MTA. > > Steps to reproduce: > 1. Configure dovecot with push notifications enabled, such as OX push > notification driver. This can also be observed with 3rd party plugin XAPS. > 2. Send mail a group address as sender > > Solution: > Operators should update to the latest Patch Release.
Turns out the fix was only partial fix, please update to 2.3.9.2 instead of 2.3.9.1. CVE remains the same. Aki Tuomi Open-Xchange oy
signature.asc
Description: PGP signature
_______________________________________________ Dovecot-news mailing list Dovecot-news@dovecot.org https://dovecot.org/mailman/listinfo/dovecot-news