Red Hat Bugzilla – Bug 883060
CVE-2012-5620 dovecot: DoS when handling a search for multiple keywords
Last modified: 2012-12-04 17:51:04 EST
Dovecot 2.1.11 was released  and includes a fix for a crash condition when the IMAP server was issued a SEARCH command with multiple KEYWORD parameters. An authenticated remote user could use this flaw to crash Dovecot .
The upstream fix  was to remove the keyword merging code. This code does not exist in Dovecot 1.x, but it does affect 2.x versions, at least as far back as 2.0.9 (earliest version I checked).
So Red Hat Enterprise Linux 5 is not affected by this flaw, but Red Hat Enterprise Linux 6 and Fedora are.
Created dovecot tracking bugs for this issue
Affects: fedora-all [bug 883067]
This has been assigned CVE-2012-5620:
This was filed a bit prematurely. As upstream indicates in the Debian bug report , a user can only crash their own session (self-DoS), which we would not consider a security flaw.
Red Hat does not consider this to be a security flaw as a user executing these commands will only succeed in preventing service to the current connection, and not to the server as a whole.