Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 244962 (CVE-2008-4907) - net-mail/dovecot < 1.1.6: Permanent DoS w/ broken mail headers (CVE-2008-4907)
Summary: net-mail/dovecot < 1.1.6: Permanent DoS w/ broken mail headers (CVE-2008-4907)
Status: RESOLVED FIXED
Alias: CVE-2008-4907
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://www.dovecot.org/list/dovecot-n...
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2008-10-30 13:41 UTC by Wolfram Schlich (RETIRED)
Modified: 2008-12-15 13:54 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Wolfram Schlich (RETIRED) gentoo-dev 2008-10-30 13:41:50 UTC
I've just bumped dovecot to 1.1.6.
excerpt from the 1.1.6 release notes:
--8<--
The invalid message address parsing bug is pretty important since it
allows a remote user to send broken mail headers and prevent the
recipient from accessing the mailbox afterwards, because the process
will always just crash trying to parse the header. This is assuming that
the IMAP client uses FETCH ENVELOPE command, not all do. Note that it
doesn't affect versions older than v1.1.4.
--8<--
Comment 1 Christian Hoffmann (RETIRED) gentoo-dev 2008-10-30 14:33:17 UTC
Thanks. Setting whiteboard and CC'ing arches...

Arches, please test and mark stable
  =net-mail/dovecot-1.1.6
Target keywords: alpha amd64 ppc sparc x86
Comment 2 Markus Meier gentoo-dev 2008-11-01 23:58:09 UTC
amd64/x86 stable
Comment 3 Tobias Scherbaum (RETIRED) gentoo-dev 2008-11-02 10:35:45 UTC
ppc stable
Comment 4 Stefan Behte (RETIRED) gentoo-dev Security 2008-11-04 08:36:34 UTC
alpha, sparc: *ping*
Comment 5 Raúl Porcel (RETIRED) gentoo-dev 2008-11-06 09:11:36 UTC
alpha/sparc stable
Comment 6 Tobias Heinlein (RETIRED) gentoo-dev 2008-11-08 09:52:23 UTC
Ready for vote, I vote YES.
Comment 7 Robert Buchholz (RETIRED) gentoo-dev 2008-11-09 13:06:07 UTC
YES too, filed.
Comment 8 Tobias Heinlein (RETIRED) gentoo-dev 2008-12-15 13:54:28 UTC
GLSA 200812-16, thanks everyone, sorry about the delay.