Red Hat Bugzilla – Bug 469813
CVE-2008-4907 dovecot: per-user DoS via message with malformed headers
Last modified: 2010-03-29 05:32:03 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-4907 to the following vulnerability:
The message parsing feature in Dovecot 1.1.4 and 1.1.5, when using the
FETCH ENVELOPE command in the IMAP client, allows remote attackers to
cause a denial of service (persistent crash) via an email with a
malformed From address, which triggers an assertion error, aka
"invalid message address parsing bug."
Original report on the dovecot mailinglist:
Original report additionally mentions another commit fixing "similar problem":
We should look how this can be triggered and which versions are affected.
The CVE-2008-4907 affects only the version of the Dovecot package, as shipped with Fedora release of 10. Maintainer, please upgrade, to the latest upstream 1.1.6 version.
(In reply to comment #3)
> The CVE-2008-4907 affects only the version of the Dovecot package, as shipped
> with Fedora release of 10. Maintainer, please upgrade, to the latest upstream
> 1.1.6 version.
It's sitting in dist-f10-update-candidate and waiting for rel-eng to retag with dist-f10-final