Common Vulnerabilities and Exposures assigned an identifier CVE-2008-4907 to the following vulnerability: The message parsing feature in Dovecot 1.1.4 and 1.1.5, when using the FETCH ENVELOPE command in the IMAP client, allows remote attackers to cause a denial of service (persistent crash) via an email with a malformed From address, which triggers an assertion error, aka "invalid message address parsing bug." References: http://www.dovecot.org/list/dovecot-news/2008-October/000089.html http://www.securityfocus.com/bid/31997 http://secunia.com/advisories/32479 http://xforce.iss.net/xforce/xfdb/46227
Original report on the dovecot mailinglist: http://dovecot.org/list/dovecot/2008-October/034658.html Upstream commit: http://hg.dovecot.org/dovecot-1.1/rev/48840b2d4b18
Original report additionally mentions another commit fixing "similar problem": http://hg.dovecot.org/dovecot-1.1/rev/04fdaa2f831e http://dovecot.org/pipermail/dovecot/2008-September/033736.html We should look how this can be triggered and which versions are affected.
The CVE-2008-4907 affects only the version of the Dovecot package, as shipped with Fedora release of 10. Maintainer, please upgrade, to the latest upstream 1.1.6 version.
(In reply to comment #3) > The CVE-2008-4907 affects only the version of the Dovecot package, as shipped > with Fedora release of 10. Maintainer, please upgrade, to the latest upstream > 1.1.6 version. It's sitting in dist-f10-update-candidate and waiting for rel-eng to retag with dist-f10-final
https://www.redhat.com/security/data/cve/CVE-2008-4907.html