1.2.x versions before 1.2.11 are vulnerable to DoS attack
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
dovecot (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Fetching a message with a huge header could have resulted in Dovecot
eating a lot of CPU. An evil attacker could cause a DoS by sending
forged messages.
CVE not assigned jet, but debian security team is working to obtain one.
from Timo's post to the dovecot mailing list:
>
> mbox users really should upgrade, because by sending a message with a
> huge header you could basically cause a DoS (this problem exists only
> with v1.2.x, not with v1.0 or v1.1).
>
> - mbox: Message header reading was unnecessarily slow. Fetching a
> huge header could have resulted in Dovecot eating a lot of CPU.
> Also searching messages was much slower than necessary.
> - mbox, dbox, cydir: Mail root directory was created with 0770
> permissions, instead of 0700.
> - maildir: Reading uidlist could have ended up in an infinite loop.
> - IMAP IDLE: v1.2.7+ caused extra load by checking changes every
> 0.5 seconds after a change had occurred in mailbox
>
Related branches
CVE References
visibility: | private → public |
Changed in dovecot (Ubuntu): | |
status: | New → Confirmed |
Here is the patch to correct this issue
http:// hg.dovecot. org/dovecot- 1.2/rev/ 6c9f2ed821df