Lets try again, put wrong changelog to the mail. Sorry about this. https://dovecot.org/releases/2.3/dovecot-2.3.5.2.tar.gz https://dovecot.org/releases/2.3/dovecot-2.3.5.2.tar.gz.sig Binary packages in https://repo.dovecot.org/ ??? * CVE-2019-10691: Trying to login with 8bit username containing ??? ? invalid UTF8 input causes auth process to crash if auth policy is ??? ? enabled. This could be used rather easily to cause a DoS. Similar ??? ? crash also happens during mail delivery when using invalid UTF8 in ??? ? From or Subject header when OX push notification driver is used. --- Aki Tuomi Open-Xchange oy -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 488 bytes Desc: OpenPGP digital signature URL: <https://dovecot.org/pipermail/dovecot-news/attachments/20190418/80cb9a6b/attachment.sig>
Aki Tuomi via dovecot skrev den 2019-04-18 11:35:> ??? * CVE-2019-10691: Trying to login with 8bit username containing > ??? ? invalid UTF8 input causes auth process to crash if auth policy is > ??? ? enabled. This could be used rather easily to cause a DoS. Similar > ??? ? crash also happens during mail delivery when using invalid UTF8 > in > ??? ? From or Subject header when OX push notification driver is used.can this aswell crash dovecot policy service so check policy service on postfix tempfails ?
> On 18 April 2019 14:40 Benny Pedersen via dovecot <dovecot at dovecot.org> wrote: > > > Aki Tuomi via dovecot skrev den 2019-04-18 11:35: > > > ??? * CVE-2019-10691: Trying to login with 8bit username containing > > ??? ? invalid UTF8 input causes auth process to crash if auth policy is > > ??? ? enabled. This could be used rather easily to cause a DoS. Similar > > ??? ? crash also happens during mail delivery when using invalid UTF8 > > in > > ??? ? From or Subject header when OX push notification driver is used. > > can this aswell crash dovecot policy service so check policy service on > postfix tempfails ?I am not sure what "dovecot policy service" you mean This bug only affects push notifications and auth policy (e.g. weakforced) connector, as they send out JSON. The crash isn't related to UTF-8 input handling as per such. Aki