[3.9] dovecot: Mishandling invalid UTF-8 characters by JSON encoder leading to possible DoS attack (CVE-2019-10691)
JSON encoder in Dovecot 2.3 incorrecty assert-crashes when encountering invalid UTF-8 characters. Attacker can repeatedly crash Dovecot authentication process by logging in using invalid UTF-8 sequence in username. Crash can also occur if OX push notification driver is enabled and an email is delivered with invalid UTF-8 sequence in From or Subject header.
Fixed In Version:
(from redmine: issue id 10313, created on 2019-04-22, closed on 2019-06-22)
- parent #10311 (closed)