similar to: CVE-2019-11500: Critical vulnerability in Dovecot and Pigeonhole

Displaying 20 results from an estimated 4000 matches similar to: "CVE-2019-11500: Critical vulnerability in Dovecot and Pigeonhole"

2019 Sep 03
0
CVE-2019-11500: Critical vulnerability in Dovecot and Pigeonhole
On 2019.08.28. 15:10, Aki Tuomi via dovecot wrote: > > Steps to reproduce: > > This bug is best observed using valgrind to see the out of bounds read > with following snippet: > > perl -e 'print "a id (\"foo\" \"".("x"x1021)."\\A\" \"bar\" > \"\000".("x"x1020)."\\A\")\n"' |
2019 Aug 28
0
CVE-2019-11500:
Dear subscribers, we have been made aware of critical vulnerability in Dovecot and Pigeonhole. --- Open-Xchange Security Advisory 2019-08-14 ? Product: Dovecot Vendor: OX Software GmbH ? Internal reference: DOV-3278 Vulnerability type: Improper input validation (CWE-20) Vulnerable version: All versions prior to 2.3.7.2 and 2.2.36.4 Vulnerable component: IMAP and ManageSieve protocol parsers
2019 Aug 28
0
CVE-2019-11500: Critical vulnerability in Dovecot and Pigeonhole
Hello, On 2019-08-28 14:10, Aki Tuomi via dovecot wrote: > Dear subscribers, we have been made aware of critical vulnerability in > Dovecot and Pigeonhole. Has this already been fixed in 2.2.36.4? Changelog does not mention it. Regards Christoph
2019 Aug 30
0
CVE-2019-11500: Critical vulnerability in Dovecot and Pigeonhole
Hello, Cc'ing Apollon in hopes he might have some insight here. When upgrading on Debian Stretch with the security fix packages all dovecot processes get killed and then restarted despite having "shutdown_clients = no" set. My guess would be a flaw in the upgrade procedure and/or unit files doing a stop and start when the new imapd package is installed. Can anybody think of a
2019 Aug 30
0
CVE-2019-11500: Critical vulnerability in Dovecot and Pigeonhole
Am 30.08.19 um 17:38 schrieb Daniel Lange via dovecot: > Am 30.08.19 um 10:00 schrieb Christian Balzer via dovecot: >> When upgrading on Debian Stretch with the security fix packages all >> dovecot processes get killed and then restarted despite having >> "shutdown_clients = no" set. > > This is systemd doing its "magic" (kill all control group
2019 Sep 02
2
AW: CVE-2019-11500: Critical vulnerability in Dovecot and Pigeonhole
Good Morning List, just a short question to this vulnerability. We are using a setup with dovecot redirector/proxy frontend servers and some backend server, which store the mailboxes. Is it anough to update the frontend servers if I like to fix the the vulnerability? greetings, Oliver
2019 Sep 02
0
CVE-2019-11500: Critical vulnerability in Dovecot and Pigeonhole
> On 2 Sep 2019, at 11.01, MK via dovecot <dovecot at dovecot.org> wrote: > > Good Morning List, > > just a short question to this vulnerability. We are using a setup with dovecot redirector/proxy frontend servers > and some backend server, which store the mailboxes. > Is it anough to update the frontend servers if I like to fix the the vulnerability? No. Sami
2019 Sep 02
1
AW: CVE-2019-11500: Critical vulnerability in Dovecot and Pigeonhole
>> On 2 Sep 2019, at 11.01, MK via dovecot <dovecot at dovecot.org> wrote: >> >> Good Morning List, >> >> just a short question to this vulnerability. We are using a setup with dovecot redirector/proxy frontend servers >> and some backend server, which store the mailboxes. >> Is it anough to update the frontend servers if I like to fix the the
2019 Aug 30
3
CVE-2019-11500: Critical vulnerability in Dovecot and Pigeonhole
Am 30.08.19 um 10:00 schrieb Christian Balzer via dovecot: > When upgrading on Debian Stretch with the security fix packages all > dovecot processes get killed and then restarted despite having > "shutdown_clients = no" set. This is systemd doing its "magic" (kill all control group processes), see https://dovecot.org/pipermail/dovecot/2016-June/104546.html for a
2019 Sep 09
1
CVE-2019-11500 and LMTP error
Hi all, does the dovecot fixed version: 2.3.7.2, 2.2.36.4 (as the CVE-2019-11500 says) fix the LMTP error "Got unexpected reply" as well? The LMTP error "Got unexpected reply" is described here: https://dovecot.org/pipermail/dovecot/2018-August/112562.html https://dovecot.org/pipermail/dovecot/2018-August/112666.html Thanks in advance Regards, -- Gabriele Nencioni
2019 Aug 31
1
CVE-2019-11500: Critical vulnerability in Dovecot and Pigeonhole
Daniel, thanks so much for the detailed pointers. So it turns out to be both the evil that is systemd and an overzealous upgrade script. Apollon, should I raise a Debian bug for this? As for reasons, how do 50k proxy session on the proxy servers and 25k imap processes on the mailbox servers sound? Even on a server with just 6k users and 7k imap processes that causes a massive load spike and a
2016 Jul 06
3
Dovecot and Solr 6
Hi! Dovecot 2.2.24 Had set up solr and new schema collection. Copied dovecot provided schema. There was an error with booleans (while getting schema via http), which I "solved" by removing "add-unknown-fields-to-the-schema" from solrconfig.xml. It is correct way to solve this? Anyway, I run tcpdump to see network activity between dovecot and solr: #tcpdump -i lo port 8983
2017 May 09
3
Nightly builds of Debian packages
Hello, how is the future of the automatically built nightly debian packages of dovecot? Has that project been ceased? The current auto-built version is still 2.2.28 from April 28, though 2.2.29 (with a security patch) of dovecot is out now for a while. Regards Christoph
2019 Dec 13
1
CVE-2019-19722: Critical vulnerability in Dovecot
Open-Xchange Security Advisory 2019-12-13 ? Product: Dovecot IMAP/POP3 Server Vendor: OX Software GmbH ? Internal reference: DOV-3719 Vulnerability type: NULL Pointer Dereference (CWE-476) Vulnerable version: 2.3.9 Vulnerable component: push notification driver Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 2.3.9.1 Researcher credits: Frederik Schwan, Michael
2019 Dec 13
1
CVE-2019-19722: Critical vulnerability in Dovecot
Open-Xchange Security Advisory 2019-12-13 ? Product: Dovecot IMAP/POP3 Server Vendor: OX Software GmbH ? Internal reference: DOV-3719 Vulnerability type: NULL Pointer Dereference (CWE-476) Vulnerable version: 2.3.9 Vulnerable component: push notification driver Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 2.3.9.1 Researcher credits: Frederik Schwan, Michael
2016 Nov 11
2
lazy-load SNI?
>>> >>> Great! Seems to be working fine for my usage and makes my configs 50% >>> smaller (which is gigantic improvement). Will do more testing though. >>> >>> Thanks! >>> >>> A little bit offtopic, but what is the point of using imap/pop SNI? All clients want to connect to their own domain or what? -- Kaspars
2016 Jun 29
2
Error when searching in mailfolders
Hello, I just found that with my dovecot 2.2.21, when I use squirrelmail to search for something in my mailfolders, that fails with ERROR: Connection dropped by IMAP server. Query: SEARCH CHARSET ISO-8859-1 ALL FROM "someone" That happens for searches in any folder, except from INBOX. When I search in all folders, only results from INBOX are found, then the error message is shown.
2017 May 20
3
Sender address when notifying original recipient
Op 5/19/2017 om 8:33 AM schreef Christoph Pleger: > Hello, > > On 2017-05-14 21:29, I wrote: > >> I am using sieve with notification of the original recipient in the case >> that an email has been identified to contain a virus. After upgrading >> dovecot from 2.2.21 to 2.2.29.1, I now detected that in these >> notifications, their sender address is now
2016 Jul 15
2
controlling STARTTLS by IP address
> I'm not a FCC lawyer, just a ham. Seems to me all you could do is "sign" > messages and not send them if the sign isn't correct. ?The package itself > is in plain text. I'm not sure what the confusion or concern is. The intention is to use non-plaintext (but technically not encrypted) authentication without TLS over ham frequencies. Hashed challenge/response
2020 Jul 16
2
Outlook vs Thunderbird
On 16/7/20 5:54 am, Benny Pedersen wrote: >>> FWIW I meant if the client is Windows7/old-Outlook then changing >>> either 993/SSL or 143/STARTTLS to 143/NONE could help pick up the >>> mail. > > windows 7 just need tls 1.0, why its need to disabled all, is as well > beyong me, do not disable tls 1.0 in dovecot aslong one have windows > 7 clients Would anyone