Dovecot is a mail server with support for imap, pop3, ipv6, ssl and tls, and is partly under an MIT and partly under a Lgplv2.1 license. Maildir, mbox and the self-developed dbox format can be used to store mail messages. In addition, MTAs such as Postfix 2.3+ and Exim 4.64+ can perform their smtp authentication process at Dovecot without any intermediate steps. The developers have released version 22.214.171.124 with the following announcement:
Version 126.96.36.199 released
- CVE-2019-10691: Trying to login with 8bit username containing invalid UTF8 input causes auth process to crash if auth policy is enabled. This could be used rather easily to cause a DoS. Similar crash also happens during mail delivery when using invalid UTF8 in From or Subject header when OX push notification driver is used.
Version 188.8.131.52 released
- CVE-2019-7524: Missing input buffer size validation leads into arbitrary buffer overflow when reading fts or pop3 uidl header from Dovecot index. Exploiting this requires direct write access to the index files.
|Operating systems||Linux, BSD, macOS, Solaris, UNIX|
|License type||Conditions (GNU/BSD/etc.)|