Software update: Dovecot

Dovecot is a mail server with support for imap, pop3, ipv6, ssl and tls, and is partly under an MIT and partly under a Lgplv2.1 license. Maildir, mbox and the self-developed dbox format can be used to store mail messages. In addition, MTAs such as Postfix 2.3+ and Exim 4.64+ can perform their smtp authentication process at Dovecot without any intermediate steps. The developers have released version with the following announcement:

Version released

  • CVE-2019-10691: Trying to login with 8bit username containing invalid UTF8 input causes auth process to crash if auth policy is enabled. This could be used rather easily to cause a DoS. Similar crash also happens during mail delivery when using invalid UTF8 in From or Subject header when OX push notification driver is used.

Version released

  • CVE-2019-7524: Missing input buffer size validation leads into arbitrary buffer overflow when reading fts or pop3 uidl header from Dovecot index. Exploiting this requires direct write access to the index files.

Version number
Release status Final
Operating systems Linux, BSD, macOS, Solaris, UNIX
Website dovecot
License type Conditions (GNU/BSD/etc.)