Bug 1701216 (CVE-2019-10691)
| Summary: | CVE-2019-10691 dovecot: Mishandling invalid UTF-8 characters by JSON encoder leading to possible DoS attack. | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Marian Rehak <mrehak> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED NOTABUG | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | anon.amish, bennie.joubert, janfrode, mailinglists, mhlavink |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | dovecot 2.3.5.2 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-04-22 06:04:26 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1701218 | ||
| Bug Blocks: | 1701220 | ||
|
Description
Marian Rehak
2019-04-18 12:00:25 UTC
Created dovecot tracking bugs for this issue: Affects: fedora-all [bug 1701218] Statement: A flaw was found in the JSON encoder in dovecot, which an attacker could use to crash the application via usage of invalid UTF-8 characters in the login name during authentication or by using invalid UTF-8 sequence in email when OX push notification driver is enabled. The versions of dovecot shipped with Red Hat Enterprise Linux did not ship the vulnerable code and therefore were not affected by this flaw. |