Bug 572268 - (CVE-2010-0745) CVE-2010-0745 Dovecot: DoS (excessive CPU use) by processing email message with huge header
CVE-2010-0745 Dovecot: DoS (excessive CPU use) by processing email message wi...
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 572276
  Show dependency treegraph
Reported: 2010-03-10 12:22 EST by Jan Lieskovsky
Modified: 2010-04-03 12:21 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2010-03-29 06:21:17 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Jan Lieskovsky 2010-03-10 12:22:46 EST
Dovecot upstream has released latest v1.2.11 version:
  [1] http://www.dovecot.org/list/dovecot-news/2010-March/000152.html

addressing one denial of service issue (from upstream announcement):
"mbox users really should upgrade, because by sending a message with a
huge header you could basically cause a DoS (this problem exists only
with v1.2.x, not with v1.0 or v1.1)."

  [2] http://dovecot.org/pipermail/dovecot/2010-February/047190.html
  [3] http://dovecot.org/pipermail/dovecot/2010-February/047058.html
  [4] http://dovecot.org/releases/1.2/dovecot-1.2.11.tar.gz

CVE Request:
  [5] http://www.openwall.com/lists/oss-security/2010/03/10/6
Comment 1 Jan Lieskovsky 2010-03-10 12:36:19 EST
This issue did NOT affect the versions of the dovecot package,
as shipped with Red Hat Enteprise Linux 4 and 5.

This issue is scheduled to be addressed within following versions
of the dovecot package, as shipped with Fedora:
  1, dovecot-1.2.11-1.fc11 for Fedora 11
  2, dovecot-1.2.11-1.fc12 for Fedora 12
Comment 3 Tomas Hoger 2010-03-29 06:21:17 EDT
dovecot 1.2.11 is stable in F11 - F13.
Comment 4 Jan Lieskovsky 2010-04-03 12:21:03 EDT
This is CVE-2010-0745.

Note You need to log in before you can comment on or make changes to this bug.