Bug 572268 (CVE-2010-0745) - CVE-2010-0745 Dovecot: DoS (excessive CPU use) by processing email message with huge header
Summary: CVE-2010-0745 Dovecot: DoS (excessive CPU use) by processing email message wi...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2010-0745
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: http://www.dovecot.org/list/dovecot-n...
Whiteboard:
Depends On: 572276
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-03-10 17:22 UTC by Jan Lieskovsky
Modified: 2019-09-29 12:35 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-03-29 10:21:17 UTC
Embargoed:

Attachments (Terms of Use)

Description Jan Lieskovsky 2010-03-10 17:22:46 UTC 
Dovecot upstream has released latest v1.2.11 version:
  [1] http://www.dovecot.org/list/dovecot-news/2010-March/000152.html

addressing one denial of service issue (from upstream announcement):
  
"mbox users really should upgrade, because by sending a message with a
huge header you could basically cause a DoS (this problem exists only
with v1.2.x, not with v1.0 or v1.1)."

References:
  [2] http://dovecot.org/pipermail/dovecot/2010-February/047190.html
  [3] http://dovecot.org/pipermail/dovecot/2010-February/047058.html
  [4] http://dovecot.org/releases/1.2/dovecot-1.2.11.tar.gz

CVE Request:
  [5] http://www.openwall.com/lists/oss-security/2010/03/10/6
Comment 1 Jan Lieskovsky 2010-03-10 17:36:19 UTC 
This issue did NOT affect the versions of the dovecot package,
as shipped with Red Hat Enteprise Linux 4 and 5.

This issue is scheduled to be addressed within following versions
of the dovecot package, as shipped with Fedora:
  1, dovecot-1.2.11-1.fc11 for Fedora 11
  2, dovecot-1.2.11-1.fc12 for Fedora 12
Comment 3 Tomas Hoger 2010-03-29 10:21:17 UTC 
dovecot 1.2.11 is stable in F11 - F13.
Comment 4 Jan Lieskovsky 2010-04-03 16:21:03 UTC 
This is CVE-2010-0745.
Note You need to log in before you can comment on or make changes to this bug.