[3.9] dovecot: Multiple vulnerabilities (CVE-2019-11494, CVE-2019-11499) (#10388) · Issues · alpine / aports

[3.9] dovecot: Multiple vulnerabilities (CVE-2019-11494, CVE-2019-11499)

CVE-2019-11494: Submission-login crashes with signal 11 due to null pointer access when authentication is
aborted by disconnecting. This can lead to denial-of-service attack by persistent attacker(s).

Vulnerable version: 2.3.0 - 2.3.5.2

Fixed version: 2.3.6

Reference:

https://dovecot.org/list/dovecot-news/2019-April/000409.html

CVE-2019-11499: Submission-login crashes when authentication is started over TLS secured channel and invalid
authentication message is sent. This can lead to denial-of-service attack by persistent attacker(s).

Vulnerable version: 2.3.0 - 2.3.5.2

Fixed version: 2.3.6

Reference:

https://dovecot.org/list/dovecot-news/2019-April/000410.html

(from redmine: issue id 10388, created on 2019-05-02, closed on 2019-05-28)

Relations:
- parent #10386 (closed)
Changesets:
- Revision f82ad4a4 on 2019-05-06T09:09:53Z:

main/dovecot: security upgrade to 2.3.6 (CVE-2019-11494, CVE-2019-11499)

Fixes #10388

Signed-off-by: Leonardo Arena <rnalrd@alpinelinux.org>

To upload designs, you'll need to enable LFS and have admin enable hashed storage. More information