similar to: CVE-2019-11500: Critical vulnerability in Dovecot and Pigeonhole

On 2019.08.28. 15:10, Aki Tuomi via dovecot wrote: > > Steps to reproduce: > > This bug is best observed using valgrind to see the out of bounds read > with following snippet: > > perl -e 'print "a id (\"foo\" \"".("x"x1021)."\\A\" \"bar\" > \"\000".("x"x1020)."\\A\")\n"' |

Dear subscribers, we have been made aware of critical vulnerability in Dovecot and Pigeonhole. --- Open-Xchange Security Advisory 2019-08-14 ? Product: Dovecot Vendor: OX Software GmbH ? Internal reference: DOV-3278 Vulnerability type: Improper input validation (CWE-20) Vulnerable version: All versions prior to 2.3.7.2 and 2.2.36.4 Vulnerable component: IMAP and ManageSieve protocol parsers

Hello, On 2019-08-28 14:10, Aki Tuomi via dovecot wrote: > Dear subscribers, we have been made aware of critical vulnerability in > Dovecot and Pigeonhole. Has this already been fixed in 2.2.36.4? Changelog does not mention it. Regards Christoph

Hello, Cc'ing Apollon in hopes he might have some insight here. When upgrading on Debian Stretch with the security fix packages all dovecot processes get killed and then restarted despite having "shutdown_clients = no" set. My guess would be a flaw in the upgrade procedure and/or unit files doing a stop and start when the new imapd package is installed. Can anybody think of a

Am 30.08.19 um 17:38 schrieb Daniel Lange via dovecot: > Am 30.08.19 um 10:00 schrieb Christian Balzer via dovecot: >> When upgrading on Debian Stretch with the security fix packages all >> dovecot processes get killed and then restarted despite having >> "shutdown_clients = no" set. > > This is systemd doing its "magic" (kill all control group

Good Morning List, just a short question to this vulnerability. We are using a setup with dovecot redirector/proxy frontend servers and some backend server, which store the mailboxes. Is it anough to update the frontend servers if I like to fix the the vulnerability? greetings, Oliver

> On 2 Sep 2019, at 11.01, MK via dovecot <dovecot at dovecot.org> wrote: > > Good Morning List, > > just a short question to this vulnerability. We are using a setup with dovecot redirector/proxy frontend servers > and some backend server, which store the mailboxes. > Is it anough to update the frontend servers if I like to fix the the vulnerability? No. Sami

>> On 2 Sep 2019, at 11.01, MK via dovecot <dovecot at dovecot.org> wrote: >> >> Good Morning List, >> >> just a short question to this vulnerability. We are using a setup with dovecot redirector/proxy frontend servers >> and some backend server, which store the mailboxes. >> Is it anough to update the frontend servers if I like to fix the the

Am 30.08.19 um 10:00 schrieb Christian Balzer via dovecot: > When upgrading on Debian Stretch with the security fix packages all > dovecot processes get killed and then restarted despite having > "shutdown_clients = no" set. This is systemd doing its "magic" (kill all control group processes), see https://dovecot.org/pipermail/dovecot/2016-June/104546.html for a

Hi all, does the dovecot fixed version: 2.3.7.2, 2.2.36.4 (as the CVE-2019-11500 says) fix the LMTP error "Got unexpected reply" as well? The LMTP error "Got unexpected reply" is described here: https://dovecot.org/pipermail/dovecot/2018-August/112562.html https://dovecot.org/pipermail/dovecot/2018-August/112666.html Thanks in advance Regards, -- Gabriele Nencioni

Daniel, thanks so much for the detailed pointers. So it turns out to be both the evil that is systemd and an overzealous upgrade script. Apollon, should I raise a Debian bug for this? As for reasons, how do 50k proxy session on the proxy servers and 25k imap processes on the mailbox servers sound? Even on a server with just 6k users and 7k imap processes that causes a massive load spike and a

Hi! Dovecot 2.2.24 Had set up solr and new schema collection. Copied dovecot provided schema. There was an error with booleans (while getting schema via http), which I "solved" by removing "add-unknown-fields-to-the-schema" from solrconfig.xml. It is correct way to solve this? Anyway, I run tcpdump to see network activity between dovecot and solr: #tcpdump -i lo port 8983

Hello, how is the future of the automatically built nightly debian packages of dovecot? Has that project been ceased? The current auto-built version is still 2.2.28 from April 28, though 2.2.29 (with a security patch) of dovecot is out now for a while. Regards Christoph

>>> >>> Great! Seems to be working fine for my usage and makes my configs 50% >>> smaller (which is gigantic improvement). Will do more testing though. >>> >>> Thanks! >>> >>> A little bit offtopic, but what is the point of using imap/pop SNI? All clients want to connect to their own domain or what? -- Kaspars

Open-Xchange Security Advisory 2019-12-13 ? Product: Dovecot IMAP/POP3 Server Vendor: OX Software GmbH ? Internal reference: DOV-3719 Vulnerability type: NULL Pointer Dereference (CWE-476) Vulnerable version: 2.3.9 Vulnerable component: push notification driver Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 2.3.9.1 Researcher credits: Frederik Schwan, Michael

Open-Xchange Security Advisory 2019-12-13 ? Product: Dovecot IMAP/POP3 Server Vendor: OX Software GmbH ? Internal reference: DOV-3719 Vulnerability type: NULL Pointer Dereference (CWE-476) Vulnerable version: 2.3.9 Vulnerable component: push notification driver Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 2.3.9.1 Researcher credits: Frederik Schwan, Michael

Hello, I just found that with my dovecot 2.2.21, when I use squirrelmail to search for something in my mailfolders, that fails with ERROR: Connection dropped by IMAP server. Query: SEARCH CHARSET ISO-8859-1 ALL FROM "someone" That happens for searches in any folder, except from INBOX. When I search in all folders, only results from INBOX are found, then the error message is shown.

Op 5/19/2017 om 8:33 AM schreef Christoph Pleger: > Hello, > > On 2017-05-14 21:29, I wrote: > >> I am using sieve with notification of the original recipient in the case >> that an email has been identified to contain a virus. After upgrading >> dovecot from 2.2.21 to 2.2.29.1, I now detected that in these >> notifications, their sender address is now

> I'm not a FCC lawyer, just a ham. Seems to me all you could do is "sign" > messages and not send them if the sign isn't correct. ?The package itself > is in plain text. I'm not sure what the confusion or concern is. The intention is to use non-plaintext (but technically not encrypted) authentication without TLS over ham frequencies. Hashed challenge/response

On 16/7/20 5:54 am, Benny Pedersen wrote: >>> FWIW I meant if the client is Windows7/old-Outlook then changing >>> either 993/SSL or 143/STARTTLS to 143/NONE could help pick up the >>> mail. > > windows 7 just need tls 1.0, why its need to disabled all, is as well > beyong me, do not disable tls 1.0 in dovecot aslong one have windows > 7 clients Would anyone