FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-03-28 15:43:32 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
abaaecda-ea16-43e2-bad0-d34a9ac576b1Dovecot -- improper input validation

Aki Tuomi reports:

Vulnerability Details: IMAP and ManageSieve protocol parsers do not properly handle NUL byte when scanning data in quoted strings, leading to out of bounds heap memory writes. Risk: This vulnerability allows for out-of-bounds writes to objects stored on the heap up to 8096 bytes in pre-login phase, and 65536 bytes post-login phase, allowing sufficiently skilled attacker to perform complicated attacks that can lead to leaking private information or remote code execution. Abuse of this bug is very difficult to observe, as it does not necessarily cause a crash. Attempts to abuse this bug are not directly evident from logs.


Discovery 2019-04-13
Entry 2019-08-28
dovecot
< 2.3.7.2

dovecot-pigeonhole
< 0.5.7.2

https://dovecot.org/pipermail/dovecot/2019-August/116874.html
CVE-2019-11500
bd98066d-4ea4-11eb-b412-e86a64caca56mail/dovecot -- multiple vulnerabilities

Aki Tuomi reports:

When imap hibernation is active, an attacker can cause Dovecot to discover file system directory structure and access other users' emails using specially crafted command. The attacker must have valid credentials to access the mail server.

Mail delivery / parsing crashed when the 10 000th MIME part was message/rfc822 (or if parent was multipart/digest). This happened due to earlier MIME parsing changes for CVE-2020-12100.


Discovery 2020-08-17
Entry 2021-01-04
dovecot
< 2.3.13

https://dovecot.org/pipermail/dovecot-news/2021-January/000448.html
CVE-2020-24386
CVE-2020-25275
7862213c-5152-11e9-8b26-a4badb296695dovecot -- Buffer overflow reading extension header

Aki Tuomi reports:

Vulnerability Details: When reading FTS or POP3-UIDL header from dovecot index, the input buffer size is not bound, and data is copied to target structure causing stack overflow. Risk: This can be used for local root privilege escalation or executing arbitrary code in dovecot process context. This requires ability to directly modify dovecot indexes. Steps to reproduce: Produce dovecot.index.log entry that creates an FTS header which has more than 12 bytes of data. Trigger dovecot indexer-worker or run doveadm index. Dovecot will crash. Mitigations: Since 2.3.0 dovecot has been compiled with stack smash protection, ASLR, read-only GOT tables and other techniques that make exploiting this bug much harder.


Discovery 2019-02-05
Entry 2019-03-28
dovecot
< 2.3.5.1

http://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-7524
https://dovecot.org/list/dovecot-news/2019-March/000401.html
CVE-2019-7524
37d106a8-15a4-483e-8247-fcb68b16eaf8Dovecot -- Multiple vulnerabilities

Aki Tuomi reports:

Vulnerability Details: Sending malformed NOOP command causes crash in submission, submission-login or lmtp service. Risk: Remote attacker can keep submission-login service down, causing denial of service attack. For lmtp the risk is neglible, as lmtp is usually behind a trusted MTA. Steps to reproduce: Send ``NOOP EE"FY`` to submission port, or similarly malformed command.

Vulnerability Details: Sending command followed by sufficient number of newlines triggers a use-after-free bug that might crash submission-login, submission or lmtp service. Risk: Remote attacker can keep submission-login service down, causing denial of service attack. For lmtp the risk is neglible, as lmtp is usually behind a trusted MTA. Steps to reproduce: This can be currently reproduced with ASAN or Valgrind. Reliable way to crash has not yet been discovered.

Vulnerability Details: Sending mail with empty quoted localpart causes submission or lmtp component to crash. Risk: Malicious actor can cause denial of service to mail delivery by repeatedly sending mails with bad sender or recipient address. Steps to reproduce: Send mail with envelope sender or recipient as <""@example.org>. Workaround: For submission there is no workaround, but triggering the bug requires valid credentials. For lmtp, one can implement sufficient filtering on MTA level to prevent mails with such addresses from ending up in LMTP delivery.


Discovery 2020-04-02
Entry 2020-05-18
dovecot
< 2.3.10.1

https://dovecot.org/pipermail/dovecot-news/2020-May/000438.html
CVE-2020-10957
CVE-2020-10958
CVE-2020-10967
74db0d02-b140-4c32-aac6-1f1e81e1ad30dovecot -- multiple vulnerabilities

Aki Tuomi reports:

lib-smtp doesn't handle truncated command parameters properly, resulting in infinite loop taking 100% CPU for the process. This happens for LMTP (where it doesn't matter so much) and also for submission-login where unauthenticated users can trigger it.

Aki also reports:

Snippet generation crashes if: message is large enough that message-parser returns multiple body blocks The first block(s) don't contain the full snippet (e.g. full of whitespace) input ends with '>'


Discovery 2020-01-14
Entry 2020-02-13
dovecot
< 2.3.9.3

https://dovecot.org/pipermail/dovecot-news/2020-February/000430.html
https://dovecot.org/pipermail/dovecot-news/2020-February/000431.html
CVE-2020-7046
CVE-2020-7967
3f98ccb3-6b8a-11e9-9b5c-a4badb296695Dovecot -- Multiple vulnerabilities

Aki Tuomi reports:

Submission-login crashes with signal 11 due to null pointer access when authentication is aborted by disconnecting. This can lead to denial-of-service attack by persistent attacker(s).

Aki Tuomi reports:

Submission-login crashes when authentication is started over TLS secured channel and invalid authentication message is sent. This can lead to denial-of-service attack by persistent attacker(s).


Discovery 2019-03-11
Entry 2019-04-30
dovecot
ge 2.3.0 lt 2.3.6

https://dovecot.org/list/dovecot-news/2019-April/000409.html
CVE-2019-11494
https://dovecot.org/list/dovecot-news/2019-April/000410.html
CVE-2019-11499
a64aa22f-61ec-11e9-85b9-a4badb296695dovecot -- json encoder crash

Aki Tuomi reports:

* CVE-2019-10691: Trying to login with 8bit username containing invalid UTF8 input causes auth process to crash if auth policy is enabled. This could be used rather easily to cause a DoS. Similar crash also happens during mail delivery when using invalid UTF8 in From or Subject header when OX push notification driver is used.


Discovery 2019-04-09
Entry 2019-04-18
Modified 2019-05-26
dovecot
ge 2.3.0 lt 2.3.5.2

dovecot2
ge 2.3.0 lt 2.3.5.2

https://dovecot.org/pipermail/dovecot-news/2019-April/000407.html
CVE-2019-10691
87a07de1-e55e-4d51-bb64-8d117829a26amail/dovecot -- multiple vulnerabilities

Aki Tuomi reports:

Parsing mails with a large number of MIME parts could have resulted in excessive CPU usage or a crash due to running out of stack memory..

Dovecot's NTLM implementation does not correctly check message buffer size, which leads to reading past allocation which can lead to crash

lmtp/submission: Issuing the RCPT command with an address that has the empty quoted string as local-part causes the lmtp service to crash.

Dovecot's RPA mechanism implementation accepts zero-length message, which leads to assert-crash later on.


Discovery 2020-04-23
Entry 2020-08-13
dovecot
< 2.3.11

https://dovecot.org/pipermail/dovecot-news/2020-August/000440.html
CVE-2020-12100
CVE-2020-12673
CVE-2020-10967
CVE-2020-12674
1340fcc1-2953-11e9-bc44-a4badb296695mail/dovecot -- Suitable client certificate can be used to login as other user

Aki Tuomi (Open-Xchange Oy) reports:

Normally Dovecot is configured to authenticate imap/pop3/managesieve/submission clients using regular username/password combination. Some installations have also required clients to present a trusted SSL certificate on top of that. It's also possible to configure Dovecot to take the username from the certificate instead of from the user provided authentication. It's also possible to avoid having a password at all, only trusting the SSL certificate. If the provided trusted SSL certificate is missing the username field, Dovecot should be failing the authentication. However, the earlier versions will take the username from the user provided authentication fields (e.g. LOGIN command). If there is no additional password verification, this allows the attacker to login as anyone else in the system. This affects only installations using: auth_ssl_require_client_cert = yes auth_ssl_username_from_cert = yes Attacker must also have access to a valid trusted certificate without the ssl_cert_username_field in it. The default is commonName, which almost certainly exists in all certificates. This could happen for example if ssl_cert_username_field is a field that normally doesn't exist, and attacker has access to a web server's certificate (and key), which is signed with the same CA. Attack can be migitated by having the certificates with proper Extended Key Usage, such as 'TLS Web Server' and 'TLS Web Server Client'. Also, ssl_cert_username_field setting was ignored with external SMTP AUTH, because none of the MTAs (Postfix, Exim) currently send the cert_username field. This may have allowed users with trusted certificate to specify any username in the authentication. This does not apply to Dovecot Submission service.


Discovery 2019-01-16
Entry 2019-02-05
dovecot
< 2.3.4.1

https://www.mail-archive.com/dovecot@dovecot.org/msg76117.html
CVE-2019-3814