similar to: CVE-2019-10691: JSON encoder in Dovecot 2.3 incorrecty assert-crashes when encountering invalid UTF-8 characters.

Dear subscribers, we're sharing our latest advisory with you and would like to thank everyone who contributed in finding and solving those vulnerabilities. Feel free to join our bug bounty programs (open-xchange, dovecot, powerdns) at HackerOne. Please find patches for v2.2.36 and v2.3.4 attached, or download new version from https://dovecot.org Yours sincerely, Aki Tuomi Open-Xchange Oy

Open-Xchange Security Advisory 2019-04-30 Product: Dovecot Vendor: OX Software GmbH Internal reference: DOV-3212 (Bug ID) Vulnerability type: CWE-476 Vulnerable version: 2.3.0 - 2.3.5.2 Vulnerable component: submission-login Report confidence: Confirmed Researcher credits: Marcelo Coelho Solution status: Fixed by Vendor Fixed version: 2.3.6 Vendor notificatio: 2019-03-11 Solution date: 2019-04-23

Open-Xchange Security Advisory 2019-04-30 Product: Dovecot Vendor: OX Software GmbH Internal reference: DOV-3223 (Bug ID) Vulnerability type: CWE-617 Vulnerable version: 2.3.0 - 2.3.5.2 Vulnerable component: submission-login Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 2.3.6 Vendor notification: 2019-03-11 Solution date: 2019-04-23 Public disclosure: 2019-04-30 CVE

Open-Xchange Security Advisory 2019-04-30 Product: Dovecot Vendor: OX Software GmbH Internal reference: DOV-3212 (Bug ID) Vulnerability type: CWE-476 Vulnerable version: 2.3.0 - 2.3.5.2 Vulnerable component: submission-login Report confidence: Confirmed Researcher credits: Marcelo Coelho Solution status: Fixed by Vendor Fixed version: 2.3.6 Vendor notificatio: 2019-03-11 Solution date: 2019-04-23

Open-Xchange Security Advisory 2019-04-30 Product: Dovecot Vendor: OX Software GmbH Internal reference: DOV-3223 (Bug ID) Vulnerability type: CWE-617 Vulnerable version: 2.3.0 - 2.3.5.2 Vulnerable component: submission-login Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 2.3.6 Vendor notification: 2019-03-11 Solution date: 2019-04-23 Public disclosure: 2019-04-30 CVE

Open-Xchange Security Advisory 2020-02-12 Affected product: Dovecot Core Internal reference: DOV-3744 (JIRA ID) Vulnerability type: Improper Input Validation (CWE-30) Vulnerable version: 2.3.9 Vulnerable component: submission-login, lmtp Fixed version: 2.3.9.3 Report confidence: Confirmed Solution status: Fixed Researcher credits: Open-Xchange oy Vendor notification: 2020-01-14 CVE reference:

Open-Xchange Security Advisory 2020-02-12 Affected product: Dovecot Core Internal reference: DOV-3744 (JIRA ID) Vulnerability type: Improper Input Validation (CWE-30) Vulnerable version: 2.3.9 Vulnerable component: submission-login, lmtp Fixed version: 2.3.9.3 Report confidence: Confirmed Solution status: Fixed Researcher credits: Open-Xchange oy Vendor notification: 2020-01-14 CVE reference:

Open-Xchange Security Advisory 2019-12-13 ? Product: Dovecot IMAP/POP3 Server Vendor: OX Software GmbH ? Internal reference: DOV-3719 Vulnerability type: NULL Pointer Dereference (CWE-476) Vulnerable version: 2.3.9 Vulnerable component: push notification driver Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 2.3.9.1 Researcher credits: Frederik Schwan, Michael

Open-Xchange Security Advisory 2019-12-13 ? Product: Dovecot IMAP/POP3 Server Vendor: OX Software GmbH ? Internal reference: DOV-3719 Vulnerability type: NULL Pointer Dereference (CWE-476) Vulnerable version: 2.3.9 Vulnerable component: push notification driver Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 2.3.9.1 Researcher credits: Frederik Schwan, Michael

On Fri, 2017-05-26 at 11:36 +0530, Arjit Gupta via samba wrote: > Hi Team, > > Please let me know the severity of CVE-2017-2619 and CVE-2017-7494. They are not unpublished: https://www.samba.org/samba/security/CVE-2017-2619.html https://www.samba.org/samba/security/CVE-2017-7494.html For this second bug, I did some work on CVSS scores: I've had a go at a CVSSv3 score for the

Thanks for the analysis of second bug. Please also share CVSSv3 score for first bug. Arjit Kumar On Fri, May 26, 2017 at 12:29 PM, Andrew Bartlett <abartlet at samba.org> wrote: > On Fri, 2017-05-26 at 11:36 +0530, Arjit Gupta via samba wrote: > > Hi Team, > > > > Please let me know the severity of CVE-2017-2619 and CVE-2017-7494. > > They are not unpublished:

Hi, I have the SSH Terrapin Prefix Truncation Weakness on Red Hat Enterprise Linux release 8.7 (Ootpa). The details are as follows. # rpm -qa | grep openssh openssh-8.0p1-16.el8.x86_64 openssh-askpass-8.0p1-16.el8.x86_64 openssh-server-8.0p1-16.el8.x86_64 openssh-clients-8.0p1-16.el8.x86_64 # cat /etc/redhat-release Red Hat Enterprise Linux release 8.7 (Ootpa) # SSH Terrapin Prefix Truncation

You might find RedHat's CVE page on this useful: https://access.redhat.com/security/cve/cve-2023-48795 On Tue, Jan 23, 2024 at 10:04?AM Kaushal Shriyan <kaushalshriyan at gmail.com> wrote: > Hi, > > I have the SSH Terrapin Prefix Truncation Weakness on Red Hat Enterprise > Linux release 8.7 (Ootpa). The details are as follows. > > # rpm -qa | grep openssh >

Lets try again, put wrong changelog to the mail. Sorry about this. https://dovecot.org/releases/2.3/dovecot-2.3.5.2.tar.gz https://dovecot.org/releases/2.3/dovecot-2.3.5.2.tar.gz.sig Binary packages in https://repo.dovecot.org/ ??? * CVE-2019-10691: Trying to login with 8bit username containing ??? ? invalid UTF8 input causes auth process to crash if auth policy is ??? ? enabled. This could be

Lets try again, put wrong changelog to the mail. Sorry about this. https://dovecot.org/releases/2.3/dovecot-2.3.5.2.tar.gz https://dovecot.org/releases/2.3/dovecot-2.3.5.2.tar.gz.sig Binary packages in https://repo.dovecot.org/ ??? * CVE-2019-10691: Trying to login with 8bit username containing ??? ? invalid UTF8 input causes auth process to crash if auth policy is ??? ? enabled. This could be

Open-Xchange Security Advisory 2021-06-21 Product: Dovecot Vendor: OX Software GmbH Internal reference: DOV-4583 (Bug ID) Vulnerability type: CWE-74: Failure to Sanitize Data into a Different Plane ('Injection') Vulnerable version: 2.3.0-2.3.14 Vulnerable component: submission Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 2.3.14.1 Vendor notification:

Open-Xchange Security Advisory 2021-06-21 Product: Dovecot Vendor: OX Software GmbH Internal reference: DOV-4583 (Bug ID) Vulnerability type: CWE-74: Failure to Sanitize Data into a Different Plane ('Injection') Vulnerable version: 2.3.0-2.3.14 Vulnerable component: submission Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 2.3.14.1 Vendor notification:

Open-Xchange Security Advisory 2021-01-04 Product: Dovecot Vendor: OX Software GmbH Internal reference: DOP-2009 (Bug ID) Vulnerability type: CWE-150: Improper Neutralization of Escape, Meta, or Control Sequences Vulnerable version: 2.2.26-2.3.11.3 Vulnerable component: imap Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 2.3.13 Vendor notification: 2020-08-17

Open-Xchange Security Advisory 2021-01-04 Product: Dovecot Vendor: OX Software GmbH Internal reference: DOP-2009 (Bug ID) Vulnerability type: CWE-150: Improper Neutralization of Escape, Meta, or Control Sequences Vulnerable version: 2.2.26-2.3.11.3 Vulnerable component: imap Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 2.3.13 Vendor notification: 2020-08-17

Affected product: Dovecot IMAP Server Internal reference: DOV-5320 Vulnerability type: Improper Access Control (CWE-284) Vulnerable version: 2.2 Vulnerable component: submission Report confidence: Confirmed Solution status: Fixed in main Researcher credits: Julian Brook (julezman) Vendor notification: 2022-05-06 CVE reference: CVE-2022-30550 CVSS: 6.8