Headline
Debian Security Advisory 5752-1
Debian Linux Security Advisory 5752-1 - Two vulnerabilities have been discovered in the IMAP implementation of large headers can result in high CPU usage, leading to denial of service.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Debian Security Advisory DSA-5752-1 [email protected]
https://www.debian.org/security/ Moritz Muehlenhoff
August 21, 2024 https://www.debian.org/security/faq
Package : dovecot
CVE ID : CVE-2024-23184 CVE-2024-23185
Two vulnerabilities have been discovered in the IMAP implementation of
the Dovecot mail server: Excessive numbers of address headers or very
large headers can result in high CPU usage, leading to denial of
service.
For the stable distribution (bookworm), these problems have been fixed in
version 1:2.3.19.1+dfsg1-2.1+deb12u1.
We recommend that you upgrade your dovecot packages.
For the detailed security status of dovecot please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/dovecot
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
Mailing list: [email protected]
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmbFncMACgkQEMKTtsN8
TjZ0xxAAveHhF56P5MPxuYoZcbzB9MyDOQrfwFs8hSc7vOtEZ0KGWmegw7elEhBx
4x03JuhTXDZK2xrSq2VcoXZuM3Bh+p+I5OPQBvP+SFgfDyvKfoJZWedJpLFOzLyk
X9cD56A+YyBeEE+iMaSwHp3GkR/La3xKDCobH+sbFHMlyLZrGLybLrWg5sN0By/y
sxRGK54sVepldk7emFNdztoAG2kkl3LEZtJAQyk8gx6P2fOtjlprNFc//xoDCmzO
K/KsDg2Nyba0Q3NwWvkre1md8bLSbxlvcxoMWOy1hP8g+1xIjejOFMet0wsBwu6S
dAJCYy/qFKkRgOVy/IOLjWeAA3YCRJoCTNy8NNMzrjYd3J1ePH7dSAZLMW18eD4j
lSlfjXMSe1BHoYiXGI25fBR6aNpdtJIDzgIMSDozmLFVZXwpzaRVlz3CfSQulLZn
/u+eBrplj4cboR9YLXXYEdotrkfeIFbM8sgvzGHl3d8x8gO8+/2mqSbWGRynzJV+
DWXVPboiury7zV5FE9IyvyCAuWfnFZZQmVzLCJ7AD4QibQl2xbU0n0lWduyc+X9y
lHc0tn2ndrpV9oUQlOLzJJkqIQch+/rEwEOIgzrR+sPUuLFQUE8vWIDxD+cnpCSZ
s/ClFKWH/0oDFCPwnlGbHq1a905daOK7i7Xpsn7DMaTFHwtZB08=
=qPW3
-----END PGP SIGNATURE-----
Related news
Ubuntu Security Notice 7013-1 - It was discovered that Dovecot incorrectly handled a large number of address headers. A remote attacker could possibly use this issue to cause Dovecot to consume resources, leading to a denial of service. It was discovered that Dovecot incorrectly handled very large headers. A remote attacker could possibly use this issue to cause Dovecot to consume resources, leading to a denial of service.
Red Hat Security Advisory 2024-6529-03 - An update for dovecot is now available for Red Hat Enterprise Linux 9. Issues addressed include denial of service and resource exhaustion vulnerabilities.
Ubuntu Security Notice 6982-1 - It was discovered that Dovecot did not not properly have restrictions on the size of address headers. A remote attacker could possibly use this issue to cause denial of service.
Dovecot IMAP server versions 2.2 and 2.3 suffer from denial of service and resource exhaustion vulnerabilities.
Dovecot IMAP server versions 2.2 and 2.3 have an issue where a large number of address headers (From, To, Cc, Bcc, etc.) becomes excessively CPU intensive. With 100k header lines CPU usage is already 12 seconds, and in a production environment we observed 500k header lines taking 18 minutes to parse. Since this can be triggered by external actors sending emails to a victim, this is a security issue.