Headline
Ubuntu Security Notice USN-7013-1
Ubuntu Security Notice 7013-1 - It was discovered that Dovecot incorrectly handled a large number of address headers. A remote attacker could possibly use this issue to cause Dovecot to consume resources, leading to a denial of service. It was discovered that Dovecot incorrectly handled very large headers. A remote attacker could possibly use this issue to cause Dovecot to consume resources, leading to a denial of service.
==========================================================================Ubuntu Security Notice USN-7013-1September 16, 2024dovecot vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.04 LTS- Ubuntu 20.04 LTSSummary:Several security issues were fixed in Dovecot.Software Description:- dovecot: IMAP and POP3 email serverDetails:It was discovered that Dovecot incorrectly handled a large number ofaddress headers. A remote attacker could possibly use this issue to causeDovecot to consume resources, leading to a denial of service.(CVE-2024-23184)It was discovered that Dovecot incorrectly handled very large headers. Aremote attacker could possibly use this issue to cause Dovecot to consumeresources, leading to a denial of service. (CVE-2024-23185)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.04 LTS dovecot-core 1:2.3.16+dfsg1-3ubuntu2.4Ubuntu 20.04 LTS dovecot-core 1:2.3.7.2-1ubuntu3.7In general, a standard system update will make all the necessary changes.References: https://ubuntu.com/security/notices/USN-7013-1 CVE-2024-23184, CVE-2024-23185Package Information: https://launchpad.net/ubuntu/+source/dovecot/1:2.3.16+dfsg1-3ubuntu2.4 https://launchpad.net/ubuntu/+source/dovecot/1:2.3.7.2-1ubuntu3.7Related news
Red Hat Security Advisory 2024-6529-03 - An update for dovecot is now available for Red Hat Enterprise Linux 9. Issues addressed include denial of service and resource exhaustion vulnerabilities.
Red Hat Security Advisory 2024-6529-03 - An update for dovecot is now available for Red Hat Enterprise Linux 9. Issues addressed include denial of service and resource exhaustion vulnerabilities.
Ubuntu Security Notice 6982-1 - It was discovered that Dovecot did not not properly have restrictions on the size of address headers. A remote attacker could possibly use this issue to cause denial of service.
Ubuntu Security Notice 6982-1 - It was discovered that Dovecot did not not properly have restrictions on the size of address headers. A remote attacker could possibly use this issue to cause denial of service.
Debian Linux Security Advisory 5752-1 - Two vulnerabilities have been discovered in the IMAP implementation of large headers can result in high CPU usage, leading to denial of service.
Debian Linux Security Advisory 5752-1 - Two vulnerabilities have been discovered in the IMAP implementation of large headers can result in high CPU usage, leading to denial of service.
Dovecot IMAP server versions 2.2 and 2.3 suffer from denial of service and resource exhaustion vulnerabilities.
Dovecot IMAP server versions 2.2 and 2.3 have an issue where a large number of address headers (From, To, Cc, Bcc, etc.) becomes excessively CPU intensive. With 100k header lines CPU usage is already 12 seconds, and in a production environment we observed 500k header lines taking 18 minutes to parse. Since this can be triggered by external actors sending emails to a victim, this is a security issue.