similar to: CVE-2021-33515: SMTP Submission service STARTTLS injection

Open-Xchange Security Advisory 2021-01-04 Product: Dovecot Vendor: OX Software GmbH Internal reference: DOP-2009 (Bug ID) Vulnerability type: CWE-150: Improper Neutralization of Escape, Meta, or Control Sequences Vulnerable version: 2.2.26-2.3.11.3 Vulnerable component: imap Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 2.3.13 Vendor notification: 2020-08-17

Open-Xchange Security Advisory 2021-01-04 Product: Dovecot Vendor: OX Software GmbH Internal reference: DOP-2009 (Bug ID) Vulnerability type: CWE-150: Improper Neutralization of Escape, Meta, or Control Sequences Vulnerable version: 2.2.26-2.3.11.3 Vulnerable component: imap Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 2.3.13 Vendor notification: 2020-08-17

Open-Xchange Security Advisory 2021-06-21 Product: Dovecot Vendor: OX Software GmbH Internal reference: DOV-4476 (Bug ID) Vulnerability type: CWE-24: Path Traversal: '../filedir' Vulnerable version: 2.3.11-2.3.14 Vulnerable component: imap, pop3, submission, managesieve Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 2.3.14.1 Vendor notification: 2021-03-22

Open-Xchange Security Advisory 2021-06-21 Product: Dovecot Vendor: OX Software GmbH Internal reference: DOV-4476 (Bug ID) Vulnerability type: CWE-24: Path Traversal: '../filedir' Vulnerable version: 2.3.11-2.3.14 Vulnerable component: imap, pop3, submission, managesieve Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 2.3.14.1 Vendor notification: 2021-03-22

Open-Xchange Security Advisory 2019-12-13 ? Product: Dovecot IMAP/POP3 Server Vendor: OX Software GmbH ? Internal reference: DOV-3719 Vulnerability type: NULL Pointer Dereference (CWE-476) Vulnerable version: 2.3.9 Vulnerable component: push notification driver Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 2.3.9.1 Researcher credits: Frederik Schwan, Michael

Open-Xchange Security Advisory 2019-12-13 ? Product: Dovecot IMAP/POP3 Server Vendor: OX Software GmbH ? Internal reference: DOV-3719 Vulnerability type: NULL Pointer Dereference (CWE-476) Vulnerable version: 2.3.9 Vulnerable component: push notification driver Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 2.3.9.1 Researcher credits: Frederik Schwan, Michael

Affected product: Dovecot IMAP Server Internal reference: DOV-5320 Vulnerability type: Improper Access Control (CWE-284) Vulnerable version: 2.2 Vulnerable component: submission Report confidence: Confirmed Solution status: Fixed in main Researcher credits: Julian Brook (julezman) Vendor notification: 2022-05-06 CVE reference: CVE-2022-30550 CVSS: 6.8

Affected product: Dovecot IMAP Server Internal reference: DOV-5320 Vulnerability type: Improper Access Control (CWE-284) Vulnerable version: 2.2 Vulnerable component: submission Report confidence: Confirmed Solution status: Fixed in main Researcher credits: Julian Brook (julezman) Vendor notification: 2022-05-06 CVE reference: CVE-2022-30550 CVSS: 6.8

Hi, This is an "important fixes only" release in case you don't want to upgrade to v2.3.15. There is no matching Pigeonhole release - use the same v2.3.14 instead. https://dovecot.org/releases/2.3/dovecot-2.3.14.1.tar.gz <https://dovecot.org/releases/2.3/dovecot-2.3.14.1.tar.gz> https://dovecot.org/releases/2.3/dovecot-2.3.14.1.tar.gz.sig

Hi, This is an "important fixes only" release in case you don't want to upgrade to v2.3.15. There is no matching Pigeonhole release - use the same v2.3.14 instead. https://dovecot.org/releases/2.3/dovecot-2.3.14.1.tar.gz <https://dovecot.org/releases/2.3/dovecot-2.3.14.1.tar.gz> https://dovecot.org/releases/2.3/dovecot-2.3.14.1.tar.gz.sig

Hi, I have the SSH Terrapin Prefix Truncation Weakness on Red Hat Enterprise Linux release 8.7 (Ootpa). The details are as follows. # rpm -qa | grep openssh openssh-8.0p1-16.el8.x86_64 openssh-askpass-8.0p1-16.el8.x86_64 openssh-server-8.0p1-16.el8.x86_64 openssh-clients-8.0p1-16.el8.x86_64 # cat /etc/redhat-release Red Hat Enterprise Linux release 8.7 (Ootpa) # SSH Terrapin Prefix Truncation

You might find RedHat's CVE page on this useful: https://access.redhat.com/security/cve/cve-2023-48795 On Tue, Jan 23, 2024 at 10:04?AM Kaushal Shriyan <kaushalshriyan at gmail.com> wrote: > Hi, > > I have the SSH Terrapin Prefix Truncation Weakness on Red Hat Enterprise > Linux release 8.7 (Ootpa). The details are as follows. > > # rpm -qa | grep openssh >

Thanks for the analysis of second bug. Please also share CVSSv3 score for first bug. Arjit Kumar On Fri, May 26, 2017 at 12:29 PM, Andrew Bartlett <abartlet at samba.org> wrote: > On Fri, 2017-05-26 at 11:36 +0530, Arjit Gupta via samba wrote: > > Hi Team, > > > > Please let me know the severity of CVE-2017-2619 and CVE-2017-7494. > > They are not unpublished:

Open-Xchange Security Advisory 2021-06-21 Product: Dovecot Vendor: OX Software GmbH Internal reference: DOV-4159 (Bug ID) Vulnerability type: CWE-400 Vulnerable version: 1.2.0-2.3.14 Vulnerable component: lmtp, lda Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 2.3.15 Vendor notification: 2020-09-23 Solution date: 2020-12-07 Public disclosure: 2021-06-21 CVE

Open-Xchange Security Advisory 2021-06-21 Product: Dovecot Vendor: OX Software GmbH Internal reference: DOV-4159 (Bug ID) Vulnerability type: CWE-400 Vulnerable version: 1.2.0-2.3.14 Vulnerable component: lmtp, lda Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 2.3.15 Vendor notification: 2020-09-23 Solution date: 2020-12-07 Public disclosure: 2021-06-21 CVE

Dear subscribers, we are sending notifications for three vulnerabilities, - CVE-2020-10957 - CVE-2020-10958 - CVE-2020-10967 Please find them below --- Aki Tuomi Open-Xchange Oy ------------------ Open-Xchange Security Advisory 2020-05-18 Product: Dovecot Vendor: OX Software GmbH Internal reference: DOV-3784 Vulnerability type: NULL pointer dereference (CWE-476) Vulnerable version:

Dear subscribers, we are sending notifications for three vulnerabilities, - CVE-2020-10957 - CVE-2020-10958 - CVE-2020-10967 Please find them below --- Aki Tuomi Open-Xchange Oy ------------------ Open-Xchange Security Advisory 2020-05-18 Product: Dovecot Vendor: OX Software GmbH Internal reference: DOV-3784 Vulnerability type: NULL pointer dereference (CWE-476) Vulnerable version:

Hi, this is a heads-up that there will be Samba security updates on Wednesday, May 24th. Please make sure that your Samba AD DCs will be updated immediately after the release! Impacted components: o AD DC LDAP Server (CVSS 7.5, high) Cheers, Karolin -- Karolin Seeger https://samba.org/~kseeger/ Release Manager Samba Team https://samba.org Team Lead Samba SerNet https://sernet.de

Hi, this is a heads-up that there will be Samba security updates on Wednesday, May 24th. Please make sure that your Samba AD DCs will be updated immediately after the release! Impacted components: o AD DC LDAP Server (CVSS 7.5, high) Cheers, Karolin -- Karolin Seeger https://samba.org/~kseeger/ Release Manager Samba Team https://samba.org Team Lead Samba SerNet https://sernet.de

We are sorry to report that we have a bug in dovecot, which merits a CVE. See details below. If you haven't configured any auth_policy_* settings you are ok. This is fixed with https://git.dovecot.net/dovecot/core/commit/c3d3faa4f72a676e183f34be960cff13a5a725ae and https://git.dovecot.net/dovecot/core/commit/99abb1302ae693ccdfe0d57351fd42c67a8612fc Important vulnerability in Dovecot