[3.10] dovecot: Multiple vulnerabilities (CVE-2019-11494, CVE-2019-11499)
CVE-2019-11494: Submission-login crashes with signal 11 due to null
pointer access when authentication is
aborted by disconnecting. This can lead to denial-of-service attack by
persistent attacker(s).
Vulnerable version: 2.3.0 - 2.3.5.2
Fixed version: 2.3.6
Reference:
https://dovecot.org/list/dovecot-news/2019-April/000409.html
CVE-2019-11499: Submission-login crashes when authentication is
started over TLS secured channel and invalid
authentication message is sent. This can lead to denial-of-service
attack by persistent attacker(s).
Vulnerable version: 2.3.0 - 2.3.5.2
Fixed version: 2.3.6
Reference:
https://dovecot.org/list/dovecot-news/2019-April/000410.html
(from redmine: issue id 10387, created on 2019-05-02, closed on 2019-05-28)
- Relations:
- parent #10386 (closed)
- Changesets:
- Revision 4cbff222 on 2019-05-06T09:01:20Z:
main/dovecot: security upgrade to 2.3.6 (CVE-2019-11494, CVE-2019-11499)
Fixes #10387
Signed-off-by: Leonardo Arena <rnalrd@alpinelinux.org>