Vulnerability CVE-2019-11500: Information

Description

In Dovecot before 2.2.36.4 and 2.3.x before 2.3.7.2 (and Pigeonhole before 0.5.7.2), protocol processing can fail for quoted strings. This occurs because '\0' characters are mishandled, and can lead to out-of-bounds writes and remote code execution.

Severity: CRITICAL (9.8) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

URL: https://nvd.nist.gov/vuln/detail/CVE-2019-11500
Published: Aug. 29, 2019
Modified: Nov. 7, 2023
Error type identifier: CWE-787

Fixed packages

Package name
Branch
Fixed in version
Version from repository
Errata ID
Task #
State
dovecotsisyphus2.3.7.2-alt12.3.21-alt1ALT-PU-2019-2559-1236726Fixed
dovecotp102.3.7.2-alt12.3.21-alt1ALT-PU-2019-2559-1236726Fixed
dovecotp92.3.7.2-alt12.3.16-alt1ALT-PU-2019-2570-1236729Fixed
dovecotp82.3.5-alt1.M80P.12.3.5-alt1.M80P.1ALT-PU-2019-2586-1236782Fixed
dovecotc10f12.3.7.2-alt12.3.19.1-alt2ALT-PU-2019-2559-1236726Fixed
dovecotc9f22.3.7.2-alt12.3.19.1-alt2ALT-PU-2019-2570-1236729Fixed
dovecotc72.2.30.2-alt0.M70C.22.2.30.2-alt0.M70C.2ALT-PU-2019-2608-1236910Fixed
dovecot-pigeonholesisyphus0.5.7.2-alt10.5.21-alt1ALT-PU-2019-2560-1236726Fixed
dovecot-pigeonholep100.5.7.2-alt10.5.21-alt1ALT-PU-2019-2560-1236726Fixed
dovecot-pigeonholep90.5.7.2-alt10.5.16-alt1ALT-PU-2019-2571-1236729Fixed
dovecot-pigeonholep80.5.5-alt1.M80P.10.5.5-alt1.M80P.1ALT-PU-2019-2587-1236782Fixed
dovecot-pigeonholec10f10.5.7.2-alt10.5.19-alt1ALT-PU-2019-2560-1236726Fixed
dovecot-pigeonholec9f20.5.7.2-alt10.5.19-alt1ALT-PU-2019-2571-1236729Fixed

References to Advisories, Solutions, and Tools

Hyperlink
Resource
http://www.openwall.com/lists/oss-security/2019/08/28/3
  • Exploit
  • Mailing List
  • Third Party Advisory
https://dovecot.org/pipermail/dovecot-news/2019-August/000417.html
  • Patch
  • Vendor Advisory
https://www.dovecot.org/security.html
  • Vendor Advisory
[debian-lts-announce] 20190829 [SECURITY] [DLA 1901-1] dovecot security update
  • Mailing List
  • Third Party Advisory
GLSA-201908-29
  • Third Party Advisory
RHSA-2019:2822
    RHSA-2019:2836
      RHSA-2019:2885
        openSUSE-SU-2019:2281
          openSUSE-SU-2019:2278
            FEDORA-2019-3844281be1
              FEDORA-2019-59d60bd1fa
                FEDORA-2019-ea638fb605

                    1. Configuration 1

                      cpe:2.3:a:dovecot:dovecot:*:*:*:*:*:*:*:*
                      End excliding
                      2.2.36.4
                      cpe:2.3:a:dovecot:dovecot:*:*:*:*:*:*:*:*
                      Start including
                      2.3.0
                      End excliding
                      2.3.7.2
                      cpe:2.3:a:dovecot:pigeonhole:*:*:*:*:*:*:*:*
                      End excliding
                      0.5.7.2

                      Configuration 2

                      cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
                      cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*
                  VKontakte|Telegram|YouTube|Forum|GitHub|Bugzilla
                  Version: v24.5.1
                  Back to top