Open-Xchange Dovecot versions 2.3.0 through 2.3.10 suffer from null pointer dereference and denial of service vulnerabilities.
3aa6155c0580d269fb7fdbdd9648de20d10f066c289ea5f31c5a7bb2f6be630bDebian Linux Security Advisory 4385-1 - halfdog discovered an authentication bypass vulnerability in the Dovecot email server. Under some configurations Dovecot mistakenly trusts the username provided via authentication instead of failing. If there is no additional password verification, this allows the attacker to login as anyone else in the system. Only installations using.
6833491f703287eb135623eab6b3f3e0926f3acd5a1bb2dc72afa6c93a8a9b33Ubuntu Security Notice 3881-2 - USN-3881-1 fixed a vulnerability in Dovecot. This update provides the corresponding update for Ubuntu 12.04 ESM. It was discovered that Dovecot incorrectly handled client certificates. A remote attacker in possession of a valid certificate with an empty username field could possibly use this issue to impersonate other users. Various other issues were also addressed.
1d145a7d6061f246f48a848680c45f7979b1476512372f57248c8bafef25526bUbuntu Security Notice 3881-1 - It was discovered that Dovecot incorrectly handled client certificates. A remote attacker in possession of a valid certificate with an empty username field could possibly use this issue to impersonate other users.
81303d55c739f8568896780709c6a639e81aad971c982094aa53db5d0c65afcfUbuntu Security Notice 3587-2 - USN-3587-1 fixed a vulnerability in Dovecot. This update provides the corresponding update for Ubuntu 12.04 ESM. It was discovered that Dovecot incorrectly handled parsing certain email addresses. A remote attacker could use this issue to cause Dovecot to crash, resulting in a denial of service, or possibly obtain sensitive information. Various other issues were also addressed.
c1f6d6e6682487d0c9dcfa66fa41c4337fa8d5078553630d242b82e7cbd1dc0dDebian Linux Security Advisory 4130-1 - Several vulnerabilities have been discovered in the Dovecot email server.
b72645d04abb2796b35b7272e5208019f22ef74f7893524d18a0bb44b81ddbd3Ubuntu Security Notice 3587-1 - It was discovered that Dovecot incorrectly handled parsing certain email addresses. A remote attacker could use this issue to cause Dovecot to crash, resulting in a denial of service, or possibly obtain sensitive information. It was discovered that Dovecot incorrectly handled TLS SNI config lookups. A remote attacker could possibly use this issue to cause Dovecot to crash, resulting in a denial of service. Various other issues were also addressed.
625cfc8b26e130e4d7c58da134e865f2618f6ccdfec01a7149b33f4a9d48d196Ubuntu Security Notice 3556-2 - USN-3556-1 fixed vulnerabilities in Dovecot. This update provides the corresponding update for Ubuntu 12.04 ESM. It was discovered that Dovecot incorrectly handled certain authentications. An attacker could possibly use this to bypass authentication and access sensitive information. Various other issues were also addressed.
ec5451f5f5fbad1a4b5d212e71f5225bc2c339fdc87e030edc7b410d020b013eUbuntu Security Notice 3556-1 - It was discovered that Dovecot incorrectly handled certain authentications. An attacker could possibly use this to cause a denial of service.
0473bcf7129589affc6d1fedea923af193ac11328da392835fb739e0029610edUbuntu Security Notice 3258-2 - USN-3258-1 intended to fix a vulnerability in Dovecot. Further investigation revealed that only Dovecot versions 2.2.26 and newer were affected by the vulnerability. Additionally, the change introduced a regression when Dovecot was configured to use the "dict" authentication database. This update reverts the change. It was discovered that Dovecot incorrectly handled some usernames. An attacker could possibly use this issue to cause Dovecot to hang or crash, resulting in a denial of service. Various other issues were also addressed.
aeb7eb5a4c7e0c1d570d72040645a8653b06cc2f415273328b2ef5fddc33d78fUbuntu Security Notice 3258-1 - It was discovered that Dovecot incorrectly handled some usernames. An attacker could possibly use this issue to cause Dovecot to hang or crash, resulting in a denial of service.
5101ff0e70771f14628412493ecbd468dc95e9c6bd6f142a841f86cabb362f8bMandriva Linux Security Advisory 2015-113 - Updated dovecot packages fix security vulnerability. Dovecot before 2.2.13 is vulnerable to a DoS attack against imap/pop3-login processes. If SSL/TLS handshake was started but wasn't finished, the login process attempted to eventually forcibly disconnect the client, but failed to do it correctly. This could have left the connections hanging around for a long time.
02bb0de3a8646cbeff42c1216386daf1423a1ee06013225762cc7befed905053Gentoo Linux Security Advisory 201412-3 - A vulnerability in Dovecot could allow a remote attacker to create a Denial of Service condition. Versions less than 2.2.13 are affected.
3d75dd34d40e4219d0c2b708283b8f3aac32e24327f5de51520a41dbd3e58729Red Hat Security Advisory 2014-0790-01 - Dovecot is an IMAP server, written with security primarily in mind, for Linux and other UNIX-like systems. It also contains a small POP3 server. It supports mail in both the maildir or mbox format. The SQL drivers and authentication plug-ins are provided as subpackages. It was discovered that Dovecot did not properly discard connections trapped in the SSL/TLS handshake phase. A remote attacker could use this flaw to cause a denial of service on an IMAP/POP3 server by exhausting the pool of available connections and preventing further, legitimate connections to the IMAP/POP3 server to be made.
0e13ed0ca0865bb4148cdab7442ec2e3cbc2d65acb04cd37108d09f3f118e88cDebian Linux Security Advisory 2954-1 - It was discovered that the Dovecot email server is vulnerable to a denial of service attack against imap/pop3-login processes due to incorrect handling of the closure of inactive SSL/TLS connections.
f7b574186100faa3350fd62bea077a55c41e1162c8a545f104e6d1fc73023950Mandriva Linux Security Advisory 2014-099 - Dovecot 1.1 before 2.2.13 and dovecot-ee before 2.1.7.7 and 2.2.x before 2.2.12.12 does not properly close old connections, which allows remote attackers to cause a denial of service via an incomplete SSL/TLS handshake for an IMAP/POP3 connection. The updated packages have been patched to correct this issue.
b82ca56efd8853684a23112efde2dd54f66c4a5430e065066c7fe0aae9e7b563Ubuntu Security Notice 2213-1 - It was discovered that Dovecot incorrectly handled closing inactive SSL/TLS connections. A remote attacker could use this issue to cause Dovecot to stop responding to new connections, resulting in a denial of service.
e11d65530516edf471c037d15e12b497989180e21221b6dc72a4223832e170edThis Metasploit module exploits a command injection vulnerability against Dovecot with Exim using the "use_shell" option. It uses the sender's address to inject arbitrary commands since this is one of the user-controlled variables, which has been successfully tested on Debian Squeeze using the default Exim4 with dovecot-common packages.
d72b6de0ba7eaf73295bab2780dde4862dd95a6711d35c8ea50c93c6aad58c90During a penetration test a typical misconfiguration was found in the way Dovecot is used as a local delivery agent by Exim. A common use case for the Dovecot IMAP and POP3 server is the use of Dovecot as a local delivery agent for Exim. The Dovecot documentation contains an example using a dangerous configuration option for Exim, which leads to a remote command execution vulnerability in Exim.
3025b7b604291903b2d800d82014d424dcaadbb269d1a91c5be2394530f8e8c8Red Hat Security Advisory 2013-0520-02 - Dovecot is an IMAP server, written with security primarily in mind, for Linux and other UNIX-like systems. It also contains a small POP3 server. It supports mail in either of maildir or mbox formats. The SQL drivers and authentication plug-ins are provided as sub-packages. Two flaws were found in the way some settings were enforced by the script-login functionality of Dovecot. A remote, authenticated user could use these flaws to bypass intended access restrictions or conduct a directory traversal attack by leveraging login scripts.
cc2d82431b7724dffbd1e1d10167102f8893f413a9eb44dd0dce08dd119b4ef9Secunia Security Advisory - A vulnerability has been reported in Dovecot, which can be exploited by malicious users to cause a DoS (Denial of Service).
166faf700353ac5b78bff3f97f1c0a2f54b93c1727613d0f027b76a4d464dd10Secunia Security Advisory - SUSE has issued an update for dovecot20. This fixes a security issue, which can be exploited by malicious people to conduct spoofing attacks.
b5c11faf884cfb2c3a51a3a613864ad1f4376c2a30c315696f6ba6d23e02b1e4Secunia Security Advisory - Ubuntu has issued an update for dovecot. This fixes a security issue, which can be exploited by malicious people to conduct spoofing attacks.
fa03a044c88be5c75936565493afd98b0cb9a8bb9593e9c4439aa7cae27d794fUbuntu Security Notice 1295-1 - It was discovered that Dovecot incorrectly validated certificate hostnames when being used as a POP3 and IMAP proxy. If a remote attacker were able to perform a man-in-the-middle attack, this flaw could be exploited to view sensitive information.
6537b446fcea6b049718ea977697f880df756abeecdad9dba3605ca876e59b50Secunia Security Advisory - A security issue has been reported in Dovecot, which can be exploited by malicious people to conduct spoofing attacks.
bd8958539c6a4e96d0b9d1edc6740fdb1d8250288d146f05875365b36ff733dfSecunia Security Advisory - Gentoo has issued an update for dovecot. This fixes multiple vulnerabilities, which can be exploited by malicious, local users to gain escalated privileges, by malicious users to bypass certain security restrictions, cause a DoS (Denial of Service), and potentially compromise a vulnerable system, and by malicious people to cause a DoS (Denial of Service).
fc3bd0444c3f608ec2e5e85f1baa10bd0ccab1190697403d9026f93af1b91a0e
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed