From $URL : Dovecot 2.1.11 was released and includes a fix for a crash condition when the IMAP server was issued a SEARCH command with multiple KEYWORD parameters. An authenticated remote user could use this flaw to crash Dovecot. The upstream fix was to remove the keyword merging code. This code does not exist in Dovecot 1.x, but it does affect 2.x versions, at least as far back as 2.0.9 (earliest version I checked). References: http://www.dovecot.org/list/dovecot-news/2012-November/000235.html http://secunia.com/advisories/51455 http://hg.dovecot.org/dovecot-2.1/rev/0306792cc843 https://bugzilla.redhat.com/show_bug.cgi?id=883060
@security: dovecot-2.1.11 is not a good release. There are reports of having problems building sieve plugin. Please consider stabilizing =net-mail/dovecot-2.1.12-r1. Thank you.
Arches, please test and mark stable: =net-mail/dovecot-2.1.12-r1 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
amd64 stable
x86 stable
ppc stable
ppc64 stable
(In reply to comment #0) > An authenticated remote user could use this flaw to crash > Dovecot. "A user can crash his/her own IMAP session" says upstream - not the whole IMAP server. http://www.dovecot.org/list/dovecot/2012-December/069793.html FYI
Stable for HPPA.
stable arm
alpha/ia64/s390/sh/sparc stable
Thanks, everyone. (In reply to comment #7) > (In reply to comment #0) > > An authenticated remote user could use this flaw to crash > > Dovecot. > > "A user can crash his/her own IMAP session" says upstream - not the whole > IMAP server. > > http://www.dovecot.org/list/dovecot/2012-December/069793.html > > FYI Thanks, Eras. CVE-2012-5620 has been rejected [1] as this is not a vulnerability. Removing from security and closing since arches are finished. [1] http://www.openwall.com/lists/oss-security/2012/12/05/1