oss-sec mailing list archives
Dovecot Security Advisory: CVE-2017-14461 rfc822_parse_domain Information Leak Vulnerability
From: Aki Tuomi <aki.tuomi () open-xchange com>
Date: Thu, 1 Mar 2018 08:51:52 +0200 (EET)
Vulnerable versions: 2.0 - 2.2.33, 2.3.0 Fixed versions: 2.2.34, 2.3.0.1 Score: 7.5, AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H This vulnerability comes in two flavors. A malicious party can send a specially crafted email to a vulnerable system, causing it to crash dovecot. In some systems, the mail can be stored into the mail system, causing crash every time it is being opened. If the mail is stored into the mail system, it can be used to also leak heap memory from IMAP process by requesting bodystructure of the mail. This bug was separately reported by Cisco TALOS and thru HackerOne program by 'flxflndy'.
Current thread:
- Dovecot Security Advisory: CVE-2017-14461 rfc822_parse_domain Information Leak Vulnerability Aki Tuomi (Mar 01)