We are sorry to report that we have a bug in dovecot, which merits a
CVE. See details below. If you haven't configured any auth_policy_*
settings you are ok. This is fixed with

Important vulnerability in Dovecot (CVE-2016-8562)
CVSS score: 7.4 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H)
Affected version(s): up to
Fixed in:

Short summary: Dovecot auth component can be crashed by remote user when
auth-policy component is activated.

If auth-policy component has been activated in Dovecot, then remote user
can use SASL authentication to crash auth component.

Workaround is to disable auth-policy component until fix is in place.
This can be done by commenting out all auth_policy_* settings.

Aki Tuomi
Dovecot oy

Reply via email to