VYPR

rpm package

almalinux/dovecot-devel

pkg:rpm/almalinux/dovecot-devel

Vulnerabilities (11)

  • CVE-2026-27858HigMar 27, 2026
    affected < 1:2.3.21-16.el10_1.1fixed 1:2.3.21-16.el10_1.1

    Attacker can send a specifically crafted message before authentication that causes managesieve to allocate large amount of memory. Attacker can force managesieve-login to be unavailable by repeatedly crashing the process. Protect access to managesieve protocol, or install fixed

  • CVE-2026-27857MedMar 27, 2026
    affected < 1:2.3.21-16.el10_1.1fixed 1:2.3.21-16.el10_1.1

    Sending "NOOP (((...)))" command with 4000 parenthesis open+close results in ~1MB extra memory usage. Longer commands will result in client disconnection. This 1 MB can be left allocated for longer time periods by not sending the command ending LF. So attacker could connect possi

  • CVE-2025-59032HigMar 27, 2026
    affected < 1:2.3.21-16.el10_1.1fixed 1:2.3.21-16.el10_1.1

    ManageSieve AUTHENTICATE command crashes when using literal as SASL initial response. This can be used to crash ManageSieve service repeatedly, making it unavailable for other users. Control access to ManageSieve port, or disable the service if it's not needed. Alternatively upgr

  • CVE-2024-23185HigSep 10, 2024
    affected < 1:2.3.16-11.el9_4.1fixed 1:2.3.16-11.el9_4.1

    Very large headers can cause resource exhaustion when parsing message. The message-parser normally reads reasonably sized chunks of the message. However, when it feeds them to message-header-parser, it starts building up "full_value" buffer out of the smaller chunks. The full_val

  • CVE-2024-23184MedSep 10, 2024
    affected < 1:2.3.16-11.el9_4.1fixed 1:2.3.16-11.el9_4.1

    Having a large number of address headers (From, To, Cc, Bcc, etc.) becomes excessively CPU intensive. With 100k header lines CPU usage is already 12 seconds, and in a production environment we observed 500k header lines taking 18 minutes to parse. Since this can be triggered by e

  • CVE-2022-30550Jul 17, 2022
    affected < 1:2.3.16-3.el8fixed 1:2.3.16-3.el8

    An issue was discovered in the auth component in Dovecot 2.2 and 2.3 before 2.3.20. When two passdb configuration entries exist with the same driver and args settings, incorrect username_filter and mechanism settings can be applied to passdb definitions. These incorrectly applied

  • CVE-2021-33515Jun 28, 2021
    affected < 1:2.3.16-2.el8fixed 1:2.3.16-2.el8

    The submission service in Dovecot before 2.3.15 allows STARTTLS command injection in lib-smtp. Sensitive information can be redirected to an attacker-controlled address.

  • CVE-2020-24386Jan 4, 2021
    affected < 1:2.3.8-9.el8fixed 1:2.3.8-9.el8

    An issue was discovered in Dovecot before 2.3.13. By using IMAP IDLE, an authenticated attacker can trigger unhibernation via attacker-controlled parameters, leading to access to other users' email messages (and path disclosure).

  • CVE-2020-25275Jan 4, 2021
    affected < 1:2.3.8-9.el8fixed 1:2.3.8-9.el8

    Dovecot before 2.3.13 has Improper Input Validation in lda, lmtp, and imap, leading to an application crash via a crafted email message with certain choices for ten thousand MIME parts.

  • CVE-2020-10967May 18, 2020
    affected < 1:2.3.8-4.el8fixed 1:2.3.8-4.el8

    In Dovecot before 2.3.10.1, remote unauthenticated attackers can crash the lmtp or submission process by sending mail with an empty localpart.

  • CVE-2020-10958May 18, 2020
    affected < 1:2.3.8-4.el8fixed 1:2.3.8-4.el8

    In Dovecot before 2.3.10.1, a crafted SMTP/LMTP message triggers an unauthenticated use-after-free bug in submission-login, submission, or lmtp, and can lead to a crash under circumstances involving many newlines after a command.