INFSA-2024:6973: Dovecot security update
Information about definition
Identificator: INFSA-2024:6973
Type: security
Release date: 2024-10-10 10:32:28 UTC
Information about package
Dovecot is an IMAP server for Linux and other UNIX-like systems, written primarily with security in mind. It also contains a small POP3 server, and supports e-mail in either the maildir or mbox format. The SQL drivers and authentication plug-ins are provided as subpackages.
Vulnerabilities description
- CVE-2024-23184
A flaw was found in Dovecot. Processing a large number of address headers (From, To, Cc, Bcc, etc) can be excessively CPU intensive. This flaw allows a remote attacker to trigger a denial of service.
- CVE-2024-23185
A security issue was found in Dovecot. Very large headers can lead to resource exhaustion when parsing messages. The message-parser normally reads reasonably sized chunks of the message. However, when it feeds them to the message-header-parser, it starts building up a "full_value" buffer out of the smaller chunks. The full_value buffer has no size limit so large headers can cause large memory usage. This issue occurs whether it is a single long header line or a single header split into multiple lines.
Severity level
| CVE | Score CVSS 2.0 | Score CVSS 3.x | Score CVSS 4.0 |
|---|---|---|---|
|
NIST — CVE-2024-23184
|
no information | 6.5 | no information |
|
NIST — CVE-2024-23185
|
no information | 6.8 | no information |
Updated packages