CVE-2020-25275 – dovecot: Denial of service via mail MIME parsing
https://notcve.org/view.php?id=CVE-2020-25275
Dovecot before 2.3.13 has Improper Input Validation in lda, lmtp, and imap, leading to an application crash via a crafted email message with certain choices for ten thousand MIME parts. Dovecot versiones anteriores a 2.3.13, presenta una Comprobación de Entrada Inapropiada en lda, lmtp e imap, conllevando a un bloqueo de la aplicación por medio de un mensaje de correo electrónico diseñado con determinadas opciones para diez mil partes MIME. • http://packetstormsecurity.com/files/160841/Dovecot-2.3.11.3-Denial-Of-Service.html http://seclists.org/fulldisclosure/2021/Jan/18 http://www.openwall.com/lists/oss-security/2021/01/04/3 https://dovecot.org/pipermail/dovecot-news/2021-January/000451.html https://dovecot.org/security https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GXDKFLOCUP7I4ELGQ2F4P5TGC6NXMYV7 https://security.gentoo.org/glsa/202101-01 https://www.debian.org/security/2021/dsa-48 • CWE-20: Improper Input Validation •
CVE-2020-12673 – dovecot: Out of bound reads in dovecot NTLM implementation
https://notcve.org/view.php?id=CVE-2020-12673
In Dovecot before 2.3.11.3, sending a specially formatted NTLM request will crash the auth service because of an out-of-bounds read. En Dovecot versiones anteriores a 2.3.11.3, el envío de una petición NTLM con formato especial bloqueará el servicio auth debido a una lectura fuera de límites A flaw was found in dovecot. An out-of-bounds read flaw was found in the way dovecot handled NTLM authentication allowing an attacker to crash the dovecot auth process repeatedly preventing login. The highest threat from this vulnerability is to system availability. • http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00048.html http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00059.html https://dovecot.org/security https://lists.debian.org/debian-lts-announce/2020/08/msg00024.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4AAX2MJEULPVSRZOBX3PNPFSYP4FM4TT https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EYZU6CHA3VMYYAUCMHSCCQKJEVEIKPQ2 https://lists.fedoraproject.org/ar • CWE-125: Out-of-bounds Read •
CVE-2020-12100 – dovecot: Resource exhaustion via deeply nested MIME parts
https://notcve.org/view.php?id=CVE-2020-12100
In Dovecot before 2.3.11.3, uncontrolled recursion in submission, lmtp, and lda allows remote attackers to cause a denial of service (resource consumption) via a crafted e-mail message with deeply nested MIME parts. En Dovecot versiones anteriores a 2.3.11.3, la recursividad no controlada en submission, lmtp, y lda permite a atacantes remotos causar una denegación de servicio (consumo de recursos) por medio de un mensaje de correo electrónico diseñado con partes MIME profundamente anidadas A flaw was found in dovecot. A remote attacker could cause a denial of service by repeatedly sending emails containing MIME parts containing malicious content of which dovecot will attempt to parse. The highest threat from this vulnerability is to system availability. • http://seclists.org/fulldisclosure/2021/Jan/18 http://www.openwall.com/lists/oss-security/2020/08/12/1 http://www.openwall.com/lists/oss-security/2021/01/04/3 https://dovecot.org/security https://lists.debian.org/debian-lts-announce/2020/08/msg00024.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4AAX2MJEULPVSRZOBX3PNPFSYP4FM4TT https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EYZU6CHA3VMYYAUCMHSCCQKJEVEIKPQ2 http • CWE-674: Uncontrolled Recursion •
CVE-2020-12674 – dovecot: Crash due to assert in RPA implementation
https://notcve.org/view.php?id=CVE-2020-12674
In Dovecot before 2.3.11.3, sending a specially formatted RPA request will crash the auth service because a length of zero is mishandled. En Dovecot versiones anteriores a 2.3.11.3, el envío de una petición RPA con un formato especial bloqueará el servicio auth porque una longitud de cero es manejada inapropiadamente A flaw was found in dovecot. An attacker can use the way dovecot handles RPA (Remote Passphrase Authentication) to crash the authentication process repeatedly preventing login. The highest threat from this vulnerability is to system availability. • http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00048.html http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00059.html https://dovecot.org/security https://lists.debian.org/debian-lts-announce/2020/08/msg00024.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4AAX2MJEULPVSRZOBX3PNPFSYP4FM4TT https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EYZU6CHA3VMYYAUCMHSCCQKJEVEIKPQ2 https://lists.fedoraproject.org/ar • CWE-125: Out-of-bounds Read •