[Buildroot] [PATCH v2] package/dovecot: security bump to version 2.3.9.3

Peter Korsgaard peter at korsgaard.com
Sat Feb 15 10:53:05 UTC 2020


>>>>> "Peter" == Peter Korsgaard <peter at korsgaard.com> writes:

 > Fixes the following security issues:
 > - CVE-2020-7046: Truncated UTF-8 can be used to DoS submission-login and
 >   lmtp processes
 >   lib-smtp doesn't handle truncated command parameters properly, resulting
 >   in infinite loop taking 100% CPU for the process.  This happens for LMTP
 >   (where it doesn't matter so much) and also for submission-login where
 >   unauthenticated users can trigger it.

 > - CVE-2020-7957: Specially crafted mail can crash snippet generation
 >   Snippet generation crashes if:
 >   - message is large enough that message-parser returns multiple body
 >     blocks
 >   - The first block(s) don't contain the full snippet (e.g.  full of
 >     whitespace)
 >   - input ends with '>'

 > Signed-off-by: Peter Korsgaard <peter at korsgaard.com>
 > ---
 > Changes since v1:
 >  - Fix subject
 >  - Drop unicode from commit text

Committed, thanks.

-- 
Bye, Peter Korsgaard


More information about the buildroot mailing list