1.2.x versions before 1.2.11 are vulnerable to DoS attack
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| dovecot (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Bug Description
Fetching a message with a huge header could have resulted in Dovecot
eating a lot of CPU. An evil attacker could cause a DoS by sending
forged messages.
CVE not assigned jet, but debian security team is working to obtain one.
from Timo's post to the dovecot mailing list:
>
> mbox users really should upgrade, because by sending a message with a
> huge header you could basically cause a DoS (this problem exists only
> with v1.2.x, not with v1.0 or v1.1).
>
> - mbox: Message header reading was unnecessarily slow. Fetching a
> huge header could have resulted in Dovecot eating a lot of CPU.
> Also searching messages was much slower than necessary.
> - mbox, dbox, cydir: Mail root directory was created with 0770
> permissions, instead of 0700.
> - maildir: Reading uidlist could have ended up in an infinite loop.
> - IMAP IDLE: v1.2.7+ caused extra load by checking changes every
> 0.5 seconds after a change had occurred in mailbox
>
Related branches
CVE References
| visibility: | private → public |
| Changed in dovecot (Ubuntu): | |
| status: | New → Confirmed |
| Launchpad Janitor (janitor) wrote | #2 |
| Changed in dovecot (Ubuntu): | |
| status: | Confirmed → Fix Released |
Here is the patch to correct this issue
http://