When "dict" passdb and userdb were used for user authentication, the username sent by the IMAP/POP3 client was sent through var_expand() to perform %variable expansion. Sending specially crafted %variable fields could result in excessive memory usage causing the process to crash (and restart), or excessive CPU usage causing all authentications to hang. This issue was introduced by: https://github.com/dovecot/core/commit/a3783f8a3c9cd816b51e77a922f82301512fcf22 Upstream patch: https://github.com/dovecot/core/commit/000030feb7a30f193197f1aab8a7b04a26b42735.patch Vulnerable versions: 2.2.26 - 2.2.28
Acknowledgments: Name: the Dovecot project
According to analysis conducted by Red Hat and Debian, and acknowledged by the Dovecot project, versions prior to 2.2.26 were not affected by this issue.
Statement: Versions of dovecot shipped in Red Hat Enterprise Linux 5, 6 and 7 are not affected by this vulnerability.
Created dovecot tracking bugs for this issue: Affects: fedora-all [bug 1441457]