similar to: CVE-2020-25275: MIME parsing crashes with particular messages

Open-Xchange Security Advisory 2021-01-04 Product: Dovecot Vendor: OX Software GmbH Internal reference: DOP-2009 (Bug ID) Vulnerability type: CWE-150: Improper Neutralization of Escape, Meta, or Control Sequences Vulnerable version: 2.2.26-2.3.11.3 Vulnerable component: imap Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 2.3.13 Vendor notification: 2020-08-17

Open-Xchange Security Advisory 2021-01-04 Product: Dovecot Vendor: OX Software GmbH Internal reference: DOP-2009 (Bug ID) Vulnerability type: CWE-150: Improper Neutralization of Escape, Meta, or Control Sequences Vulnerable version: 2.2.26-2.3.11.3 Vulnerable component: imap Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 2.3.13 Vendor notification: 2020-08-17

Open-Xchange Security Advisory 2020-08-12 Affected product: Dovecot IMAP server Internal reference: DOP-1849 (Bug ID) Vulnerability type: Uncontrolled recursion (CWE-674) Vulnerable version: 2.0 Vulnerable component: submission, lmtp, lda Fixed version: 2.3.11.3 Report confidence: Confirmed Solution status: Fix available Vendor notification: 2020-04-23 CVE reference: CVE-2020-12100 CVSS: 7.5

Open-Xchange Security Advisory 2020-08-12 Affected product: Dovecot IMAP server Internal reference: DOP-1849 (Bug ID) Vulnerability type: Uncontrolled recursion (CWE-674) Vulnerable version: 2.0 Vulnerable component: submission, lmtp, lda Fixed version: 2.3.11.3 Report confidence: Confirmed Solution status: Fix available Vendor notification: 2020-04-23 CVE reference: CVE-2020-12100 CVSS: 7.5

Open-Xchange Security Advisory 2021-06-21 Product: Dovecot Vendor: OX Software GmbH Internal reference: DOV-4159 (Bug ID) Vulnerability type: CWE-400 Vulnerable version: 1.2.0-2.3.14 Vulnerable component: lmtp, lda Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 2.3.15 Vendor notification: 2020-09-23 Solution date: 2020-12-07 Public disclosure: 2021-06-21 CVE

Open-Xchange Security Advisory 2021-06-21 Product: Dovecot Vendor: OX Software GmbH Internal reference: DOV-4159 (Bug ID) Vulnerability type: CWE-400 Vulnerable version: 1.2.0-2.3.14 Vulnerable component: lmtp, lda Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 2.3.15 Vendor notification: 2020-09-23 Solution date: 2020-12-07 Public disclosure: 2021-06-21 CVE

Dear subscribers, we are sending notifications for three vulnerabilities, - CVE-2020-10957 - CVE-2020-10958 - CVE-2020-10967 Please find them below --- Aki Tuomi Open-Xchange Oy ------------------ Open-Xchange Security Advisory 2020-05-18 Product: Dovecot Vendor: OX Software GmbH Internal reference: DOV-3784 Vulnerability type: NULL pointer dereference (CWE-476) Vulnerable version:

Dear subscribers, we are sending notifications for three vulnerabilities, - CVE-2020-10957 - CVE-2020-10958 - CVE-2020-10967 Please find them below --- Aki Tuomi Open-Xchange Oy ------------------ Open-Xchange Security Advisory 2020-05-18 Product: Dovecot Vendor: OX Software GmbH Internal reference: DOV-3784 Vulnerability type: NULL pointer dereference (CWE-476) Vulnerable version:

Open-Xchange Security Advisory 2020-02-12 Affected product: Dovecot Core Internal reference: DOV-3743 (JIRA ID) Vulnerability type: Improper Input Validation (CWE-30) Vulnerable version: 2.3.9 Vulnerable component: lmtp, imap Fixed version: 2.3.9.3 Report confidence: Confirmed Solution status: Fixed Researcher credits: Open-Xchange oy Vendor notification: 2020-01-14 CVE reference: CVE-2020-7957

Open-Xchange Security Advisory 2020-08-12 Affected product: Dovecot IMAP server Internal reference: DOP-1870 (Bug ID) Vulnerability type: CWE-789 (Uncontrolled Memory Allocation) Vulnerable version: 2.2 Vulnerable component: auth Fixed version: 2.3.11.3 Report confidence: Confirmed Solution status: Fix available Vendor notification: 2020-05-03 CVE reference: CVE-2020-12673 CVSS: 7.5

Open-Xchange Security Advisory 2020-08-12 Affected product: Dovecot IMAP server Internal reference: DOP-1869 (Bug ID) Vulnerability type: CWE-126 (Buffer over-read) Vulnerable version: 2.2 Vulnerable component: auth Fixed version: 2.3.11.3 Report confidence: Confirmed Solution status: Fix available Vendor notification: 2020-05-03 Researcher credit: Orange from DEVCORE team CVE reference:

Open-Xchange Security Advisory 2020-02-12 Affected product: Dovecot Core Internal reference: DOV-3743 (JIRA ID) Vulnerability type: Improper Input Validation (CWE-30) Vulnerable version: 2.3.9 Vulnerable component: lmtp, imap Fixed version: 2.3.9.3 Report confidence: Confirmed Solution status: Fixed Researcher credits: Open-Xchange oy Vendor notification: 2020-01-14 CVE reference: CVE-2020-7957

Open-Xchange Security Advisory 2020-08-12 Affected product: Dovecot IMAP server Internal reference: DOP-1870 (Bug ID) Vulnerability type: CWE-789 (Uncontrolled Memory Allocation) Vulnerable version: 2.2 Vulnerable component: auth Fixed version: 2.3.11.3 Report confidence: Confirmed Solution status: Fix available Vendor notification: 2020-05-03 CVE reference: CVE-2020-12673 CVSS: 7.5

Open-Xchange Security Advisory 2020-08-12 Affected product: Dovecot IMAP server Internal reference: DOP-1869 (Bug ID) Vulnerability type: CWE-126 (Buffer over-read) Vulnerable version: 2.2 Vulnerable component: auth Fixed version: 2.3.11.3 Report confidence: Confirmed Solution status: Fix available Vendor notification: 2020-05-03 Researcher credit: Orange from DEVCORE team CVE reference:

Open-Xchange Security Advisory 2021-06-21 Product: Dovecot Vendor: OX Software GmbH Internal reference: DOV-4583 (Bug ID) Vulnerability type: CWE-74: Failure to Sanitize Data into a Different Plane ('Injection') Vulnerable version: 2.3.0-2.3.14 Vulnerable component: submission Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 2.3.14.1 Vendor notification:

Open-Xchange Security Advisory 2021-06-21 Product: Dovecot Vendor: OX Software GmbH Internal reference: DOV-4583 (Bug ID) Vulnerability type: CWE-74: Failure to Sanitize Data into a Different Plane ('Injection') Vulnerable version: 2.3.0-2.3.14 Vulnerable component: submission Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 2.3.14.1 Vendor notification:

Open-Xchange Security Advisory 2019-12-13 ? Product: Dovecot IMAP/POP3 Server Vendor: OX Software GmbH ? Internal reference: DOV-3719 Vulnerability type: NULL Pointer Dereference (CWE-476) Vulnerable version: 2.3.9 Vulnerable component: push notification driver Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 2.3.9.1 Researcher credits: Frederik Schwan, Michael

Open-Xchange Security Advisory 2019-12-13 ? Product: Dovecot IMAP/POP3 Server Vendor: OX Software GmbH ? Internal reference: DOV-3719 Vulnerability type: NULL Pointer Dereference (CWE-476) Vulnerable version: 2.3.9 Vulnerable component: push notification driver Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 2.3.9.1 Researcher credits: Frederik Schwan, Michael

Affected product: Dovecot IMAP Server Internal reference: DOV-5320 Vulnerability type: Improper Access Control (CWE-284) Vulnerable version: 2.2 Vulnerable component: submission Report confidence: Confirmed Solution status: Fixed in main Researcher credits: Julian Brook (julezman) Vendor notification: 2022-05-06 CVE reference: CVE-2022-30550 CVSS: 6.8

Affected product: Dovecot IMAP Server Internal reference: DOV-5320 Vulnerability type: Improper Access Control (CWE-284) Vulnerable version: 2.2 Vulnerable component: submission Report confidence: Confirmed Solution status: Fixed in main Researcher credits: Julian Brook (julezman) Vendor notification: 2022-05-06 CVE reference: CVE-2022-30550 CVSS: 6.8