rpm package

suse/dovecot23&distro=SUSE Linux Enterprise Module for Server Applications 15

pkg:rpm/suse/dovecot23&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Server%20Applications%2015

Vulnerabilities (3)

CVE	CVSS	Affected versions	Fixed in	Published	Description
CVE-2019-10691	—	< 2.3.3-4.13.1	2.3.3-4.13.1	Apr 24, 2019	The JSON encoder in Dovecot before 2.3.5.2 allows attackers to repeatedly crash the authentication service by attempting to authenticate with an invalid UTF-8 sequence as the username.
CVE-2019-7524	—	< 2.3.3-4.10.1	2.3.3-4.10.1	Mar 28, 2019	In Dovecot before 2.2.36.3 and 2.3.x before 2.3.5.1, a local attacker can cause a buffer overflow in the indexer-worker process, which can be used to elevate to root. This occurs because of missing checks in the fts and pop3-uidl components.
CVE-2019-3814	—	< 2.3.3-4.7.4	2.3.3-4.7.4	Mar 27, 2019	It was discovered that Dovecot before versions 2.2.36.1 and 2.3.4.1 incorrectly handled client certificates. A remote attacker in possession of a valid certificate with an empty username field could possibly use this issue to impersonate other users.

CVE-2019-10691Apr 24, 2019
affected < 2.3.3-4.13.1fixed 2.3.3-4.13.1
The JSON encoder in Dovecot before 2.3.5.2 allows attackers to repeatedly crash the authentication service by attempting to authenticate with an invalid UTF-8 sequence as the username.
CVE-2019-7524Mar 28, 2019
affected < 2.3.3-4.10.1fixed 2.3.3-4.10.1
In Dovecot before 2.2.36.3 and 2.3.x before 2.3.5.1, a local attacker can cause a buffer overflow in the indexer-worker process, which can be used to elevate to root. This occurs because of missing checks in the fts and pop3-uidl components.
CVE-2019-3814Mar 27, 2019
affected < 2.3.3-4.7.4fixed 2.3.3-4.7.4
It was discovered that Dovecot before versions 2.2.36.1 and 2.3.4.1 incorrectly handled client certificates. A remote attacker in possession of a valid certificate with an empty username field could possibly use this issue to impersonate other users.