Bug 572268 (CVE-2010-0745)

Summary: CVE-2010-0745 Dovecot: DoS (excessive CPU use) by processing email message with huge header
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: mhlavink
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://www.dovecot.org/list/dovecot-news/2010-March/000152.html
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-03-29 10:21:17 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 572276    
Bug Blocks:    

Description Jan Lieskovsky 2010-03-10 17:22:46 UTC 
Dovecot upstream has released latest v1.2.11 version:
  [1] http://www.dovecot.org/list/dovecot-news/2010-March/000152.html

addressing one denial of service issue (from upstream announcement):
  
"mbox users really should upgrade, because by sending a message with a
huge header you could basically cause a DoS (this problem exists only
with v1.2.x, not with v1.0 or v1.1)."

References:
  [2] http://dovecot.org/pipermail/dovecot/2010-February/047190.html
  [3] http://dovecot.org/pipermail/dovecot/2010-February/047058.html
  [4] http://dovecot.org/releases/1.2/dovecot-1.2.11.tar.gz

CVE Request:
  [5] http://www.openwall.com/lists/oss-security/2010/03/10/6
Comment 1 Jan Lieskovsky 2010-03-10 17:36:19 UTC 
This issue did NOT affect the versions of the dovecot package,
as shipped with Red Hat Enteprise Linux 4 and 5.

This issue is scheduled to be addressed within following versions
of the dovecot package, as shipped with Fedora:
  1, dovecot-1.2.11-1.fc11 for Fedora 11
  2, dovecot-1.2.11-1.fc12 for Fedora 12
Comment 3 Tomas Hoger 2010-03-29 10:21:17 UTC 
dovecot 1.2.11 is stable in F11 - F13.
Comment 4 Jan Lieskovsky 2010-04-03 16:21:03 UTC 
This is CVE-2010-0745.