oss-sec mailing list archives

Re: Important vulnerability in Dovecot (CVE-2016-8652)

From: Aki Tuomi <aki.tuomi () dovecot fi>
Date: Mon, 5 Dec 2016 09:00:13 +0200



On 02.12.2016 09:02, Aki Tuomi wrote:

Important vulnerability in Dovecot (CVE-2016-8652)
CVSS score: 7.4 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H)
Affected version(s): 2.2.25.1 up to 2.2.26.1
Fixed in: 2.2.27.1rc1

Short summary: Dovecot auth component can be crashed by remote user when
auth-policy component is activated.

If auth-policy component has been activated in Dovecot, then remote user
can use SASL authentication to crash auth component.

Workaround is to disable auth-policy component until fix is in place.
This can be done by commenting out all auth_policy_* settings.

Aki Tuomi
Dovecot oy


The affected versions are from 2.2.25 to 2.2.26.1.

Aki Tuomi
Dovecot oy

Current thread:

Important vulnerability in Dovecot (CVE-2016-8652) Aki Tuomi (Dec 02)
- Re: Important vulnerability in Dovecot (CVE-2016-8652) Aki Tuomi (Dec 05)