JSON encoder in Dovecot 2.3 incorrecty assert-crashes when encountering invalid UTF-8 characters. Attacker can repeatedly crash Dovecot authentication process by logging in using invalid UTF-8 sequence in username. Crash can also occur if OX push notification driver is enabled and an email is delivered with invalid UTF-8 sequence in From or Subject header. External References: https://dovecot.org/list/dovecot-news/2019-April/000406.html
Created dovecot tracking bugs for this issue: Affects: fedora-all [bug 1701218]
Upstream commit: https://github.com/dovecot/core/commit/973769d74433de3c56c4ffdf4f343cb35d98e4f7
Statement: A flaw was found in the JSON encoder in dovecot, which an attacker could use to crash the application via usage of invalid UTF-8 characters in the login name during authentication or by using invalid UTF-8 sequence in email when OX push notification driver is enabled. The versions of dovecot shipped with Red Hat Enterprise Linux did not ship the vulnerable code and therefore were not affected by this flaw.