rpm package
suse/dovecot22&distro=SUSE Linux Enterprise Software Development Kit 12 SP4
pkg:rpm/suse/dovecot22&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP4
Vulnerabilities (3)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2019-11500 | — | < 2.2.31-19.17.1 | 2.2.31-19.17.1 | Aug 29, 2019 | In Dovecot before 2.2.36.4 and 2.3.x before 2.3.7.2 (and Pigeonhole before 0.5.7.2), protocol processing can fail for quoted strings. This occurs because '\0' characters are mishandled, and can lead to out-of-bounds writes and remote code execution. | ||
| CVE-2019-7524 | — | < 2.2.31-19.14.2 | 2.2.31-19.14.2 | Mar 28, 2019 | In Dovecot before 2.2.36.3 and 2.3.x before 2.3.5.1, a local attacker can cause a buffer overflow in the indexer-worker process, which can be used to elevate to root. This occurs because of missing checks in the fts and pop3-uidl components. | ||
| CVE-2019-3814 | — | < 2.2.31-19.14.2 | 2.2.31-19.14.2 | Mar 27, 2019 | It was discovered that Dovecot before versions 2.2.36.1 and 2.3.4.1 incorrectly handled client certificates. A remote attacker in possession of a valid certificate with an empty username field could possibly use this issue to impersonate other users. |
- CVE-2019-11500Aug 29, 2019affected < 2.2.31-19.17.1fixed 2.2.31-19.17.1
In Dovecot before 2.2.36.4 and 2.3.x before 2.3.7.2 (and Pigeonhole before 0.5.7.2), protocol processing can fail for quoted strings. This occurs because '\0' characters are mishandled, and can lead to out-of-bounds writes and remote code execution.
- CVE-2019-7524Mar 28, 2019affected < 2.2.31-19.14.2fixed 2.2.31-19.14.2
In Dovecot before 2.2.36.3 and 2.3.x before 2.3.5.1, a local attacker can cause a buffer overflow in the indexer-worker process, which can be used to elevate to root. This occurs because of missing checks in the fts and pop3-uidl components.
- CVE-2019-3814Mar 27, 2019affected < 2.2.31-19.14.2fixed 2.2.31-19.14.2
It was discovered that Dovecot before versions 2.2.36.1 and 2.3.4.1 incorrectly handled client certificates. A remote attacker in possession of a valid certificate with an empty username field could possibly use this issue to impersonate other users.