similar to: CVE-2019-11500 and LMTP error

Dear subscribers, we have been made aware of critical vulnerability in Dovecot and Pigeonhole. --- Open-Xchange Security Advisory 2019-08-14 ? Product: Dovecot Vendor: OX Software GmbH ? Internal reference: DOV-3278 Vulnerability type: Improper input validation (CWE-20) Vulnerable version: All versions prior to 2.3.7.2 and 2.2.36.4 Vulnerable component: IMAP and ManageSieve protocol parsers

Dear subscribers, we have been made aware of critical vulnerability in Dovecot and Pigeonhole. --- Open-Xchange Security Advisory 2019-08-14 ? Product: Dovecot Vendor: OX Software GmbH ? Internal reference: DOV-3278 Vulnerability type: Improper input validation (CWE-20) Vulnerable version: All versions prior to 2.3.7.2 and 2.2.36.4 Vulnerable component: IMAP and ManageSieve protocol parsers

On 08/16/2018 11:48 PM, Stephan Bosch wrote: > Op 16/08/2018 om 12:01 schreef Stephan Bosch: >> I have a theory. Will try something later today. > > Yes, I can reproduce the problem. I am working on a fix. Thank you very much! I'm here if you need something. Regards, -- Gabriele Nencioni System Administrator eml gabriele.nencioni at register.it

Op 8-10-2018 om 11:43 schreef Gabriele Nencioni: > On 8/17/18 8:17 AM, Gabriele Nencioni wrote: >> On 08/16/2018 11:48 PM, Stephan Bosch wrote: >>> Op 16/08/2018 om 12:01 schreef Stephan Bosch: >>>> I have a theory. Will try something later today. >>> Yes, I can reproduce the problem. I am working on a fix. >> Thank you very much! >> I'm here

On 08/22/2018 04:03 PM, Stephan Bosch wrote: > Op 21-8-2018 om 14:57 schreef Gabriele Nencioni: >> Hi all, >> as described here: >> https://www.dovecot.org/pipermail/dovecot/2018-July/112173.html >> >> we are experiencing the same error on dovecot version 2.3.2.1 >> while it never occurs on an old version as 2.2.15 > > This looks a lot like: >

Op 16-8-2018 om 11:47 schreef Gabriele Nencioni: >>>> On 08/09/2018 09:12 AM, Stephan Bosch wrote >>>>>>> Can you make a pcap log of the LMTP communication between the two >>>>>>> Dovecot hosts? That may give me a clue on which side of the >>>>>>> communication is causing the issue. >>>>>> Yes sure, where

Hi all, as described here: https://www.dovecot.org/pipermail/dovecot/2018-July/112173.html we are experiencing the same error on dovecot version 2.3.2.1 while it never occurs on an old version as 2.2.15 It followings the error logs: On an upgraded dovecot backend: Aug 21 12:03:51 backend20 dovecot: lmtp(test1 at internalinboundcm.eu)<SONkAYfje1veGgAAu8+/vw>: Panic: Buffer write out of

Hi all, we are upgrading our dovecot platform from: # dovecot --version 2.2.15.14 (39f57c379ded+) to # dovecot --version 2.3.2.1 (0719df592) Our platform is debian based and it is configured as director and backend proxy. We have just upgrade only 4 servers (2 directors and 2 backends) and when the lmtp traffic flow goes through an upgraded director and a not-upgraded backend sometimes the

>>> On 08/09/2018 09:12 AM, Stephan Bosch wrote >>>>>> Can you make a pcap log of the LMTP communication between the two >>>>>> Dovecot hosts? That may give me a clue on which side of the >>>>>> communication is causing the issue. >>>>> Yes sure, where I can send it? >>>>> Here on list or at your address?

On 8/17/18 8:17 AM, Gabriele Nencioni wrote: > On 08/16/2018 11:48 PM, Stephan Bosch wrote: >> Op 16/08/2018 om 12:01 schreef Stephan Bosch: >>> I have a theory. Will try something later today. >> >> Yes, I can reproduce the problem. I am working on a fix. > > Thank you very much! > I'm here if you need something. Hi, does the release 2.3.3 fix this

Hello, On 2019-08-28 14:10, Aki Tuomi via dovecot wrote: > Dear subscribers, we have been made aware of critical vulnerability in > Dovecot and Pigeonhole. Has this already been fixed in 2.2.36.4? Changelog does not mention it. Regards Christoph

On 2019.08.28. 15:10, Aki Tuomi via dovecot wrote: > > Steps to reproduce: > > This bug is best observed using valgrind to see the out of bounds read > with following snippet: > > perl -e 'print "a id (\"foo\" \"".("x"x1021)."\\A\" \"bar\" > \"\000".("x"x1020)."\\A\")\n"' |

Hi, Op 07/08/2018 om 09:35 schreef Gabriele Nencioni: > Hi all, > we are upgrading our dovecot platform from: > > # dovecot --version > 2.2.15.14 (39f57c379ded+) Great! A mummy from ancient times. That is going to make reproducing the circumstances here a bit difficult (difficult to get that compiled here anymore). I cannot reproduce anything like that so far with current

Open-Xchange Security Advisory 2021-06-21 Product: Dovecot Vendor: OX Software GmbH Internal reference: DOV-4583 (Bug ID) Vulnerability type: CWE-74: Failure to Sanitize Data into a Different Plane ('Injection') Vulnerable version: 2.3.0-2.3.14 Vulnerable component: submission Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 2.3.14.1 Vendor notification:

Open-Xchange Security Advisory 2021-06-21 Product: Dovecot Vendor: OX Software GmbH Internal reference: DOV-4583 (Bug ID) Vulnerability type: CWE-74: Failure to Sanitize Data into a Different Plane ('Injection') Vulnerable version: 2.3.0-2.3.14 Vulnerable component: submission Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 2.3.14.1 Vendor notification:

Open-Xchange Security Advisory 2019-12-13 ? Product: Dovecot IMAP/POP3 Server Vendor: OX Software GmbH ? Internal reference: DOV-3719 Vulnerability type: NULL Pointer Dereference (CWE-476) Vulnerable version: 2.3.9 Vulnerable component: push notification driver Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 2.3.9.1 Researcher credits: Frederik Schwan, Michael

Open-Xchange Security Advisory 2019-12-13 ? Product: Dovecot IMAP/POP3 Server Vendor: OX Software GmbH ? Internal reference: DOV-3719 Vulnerability type: NULL Pointer Dereference (CWE-476) Vulnerable version: 2.3.9 Vulnerable component: push notification driver Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 2.3.9.1 Researcher credits: Frederik Schwan, Michael

Affected product: Dovecot IMAP Server Internal reference: DOV-5320 Vulnerability type: Improper Access Control (CWE-284) Vulnerable version: 2.2 Vulnerable component: submission Report confidence: Confirmed Solution status: Fixed in main Researcher credits: Julian Brook (julezman) Vendor notification: 2022-05-06 CVE reference: CVE-2022-30550 CVSS: 6.8

Affected product: Dovecot IMAP Server Internal reference: DOV-5320 Vulnerability type: Improper Access Control (CWE-284) Vulnerable version: 2.2 Vulnerable component: submission Report confidence: Confirmed Solution status: Fixed in main Researcher credits: Julian Brook (julezman) Vendor notification: 2022-05-06 CVE reference: CVE-2022-30550 CVSS: 6.8

Hi, I am doing an AGI that logs to a database every Agent login/logoff. My idea is to be able to go to this database and check which agents where logged so that I can force their login in case Asterisk goes down for some reason. The problem is that I would need to reload their status from this AGI when Asterisk initializes. Is there a way to do this? One idea I had was to make safe_asterisk to