On 2019.09.03. 22:32, KSB via dovecot wrote:
On 2019.08.28. 15:10, Aki Tuomi via dovecot wrote:
Steps to reproduce:
This bug is best observed using valgrind to see the out of bounds read
with following snippet:
perl -e 'print "a id (\"foo\" \"".("x"x1021)."\\A\" \"bar\"
On 2019.08.28. 15:10, Aki Tuomi via dovecot wrote:
Steps to reproduce:
This bug is best observed using valgrind to see the out of bounds read
with following snippet:
perl -e 'print "a id (\"foo\" \"".("x"x1021)."\\A\" \"bar\"
\"\000".("x"x1020)."\\A\")\n"' | nc localhost 143
Hi!
Before I
Hello,
Debian Stretch impact free security upgrade.
This is for the default version/unit which has a Type=forking service, not
the backport and buster one which switched to simple and has dovecot running
in the foreground.
However it should work just the same, obviously try this on a test
On 2.9.2019 12.51, MK via dovecot wrote:
>>> On 2 Sep 2019, at 11.01, MK via dovecot wrote:
>>>
>>> Good Morning List,
>>>
>>> just a short question to this vulnerability. We are using a setup with
>>> dovecot redirector/proxy frontend servers
>>> and some backend server, which store the
>> On 2 Sep 2019, at 11.01, MK via dovecot wrote:
>>
>> Good Morning List,
>>
>> just a short question to this vulnerability. We are using a setup with
>> dovecot redirector/proxy frontend servers
>> and some backend server, which store the mailboxes.
>> Is it anough to update the frontend
> On 2 Sep 2019, at 11.01, MK via dovecot wrote:
>
> Good Morning List,
>
> just a short question to this vulnerability. We are using a setup with
> dovecot redirector/proxy frontend servers
> and some backend server, which store the mailboxes.
> Is it anough to update the frontend servers
Good Morning List,
just a short question to this vulnerability. We are using a setup with dovecot
redirector/proxy frontend servers
and some backend server, which store the mailboxes.
Is it anough to update the frontend servers if I like to fix the the
vulnerability?
greetings,
Oliver
Daniel,
thanks so much for the detailed pointers.
So it turns out to be both the evil that is systemd and an overzealous
upgrade script.
Apollon, should I raise a Debian bug for this?
As for reasons, how do 50k proxy session on the proxy servers and 25k imap
processes on the mailbox servers
Am 30.08.19 um 17:38 schrieb Daniel Lange via dovecot:
Am 30.08.19 um 10:00 schrieb Christian Balzer via dovecot:
When upgrading on Debian Stretch with the security fix packages all
dovecot processes get killed and then restarted despite having
"shutdown_clients = no" set.
This is systemd
Am 30.08.19 um 10:00 schrieb Christian Balzer via dovecot:
When upgrading on Debian Stretch with the security fix packages all
dovecot processes get killed and then restarted despite having
"shutdown_clients = no" set.
This is systemd doing its "magic" (kill all control group processes),
see
Hello,
Cc'ing Apollon in hopes he might have some insight here.
When upgrading on Debian Stretch with the security fix packages all
dovecot processes get killed and then restarted despite having
"shutdown_clients = no" set.
My guess would be a flaw in the upgrade procedure and/or unit files
On 28/08/2019 14:58, Christoph Pleger via dovecot wrote:
Hello,
On 2019-08-28 14:10, Aki Tuomi via dovecot wrote:
Dear subscribers, we have been made aware of critical vulnerability in
Dovecot and Pigeonhole.
Has this already been fixed in 2.2.36.4? Changelog does not mention it.
On 28/08/2019 16:58 Christoph Pleger via dovecot <
dovecot@dovecot.org> wrote:
Hello,
On 2019-08-28 14:10, Aki Tuomi via dovecot wrote:
Dear subscribers, we have been made aware of
Hello,
On 2019-08-28 14:10, Aki Tuomi via dovecot wrote:
Dear subscribers, we have been made aware of critical vulnerability in
Dovecot and Pigeonhole.
Has this already been fixed in 2.2.36.4? Changelog does not mention it.
Regards
Christoph
Dear subscribers, we have been made aware of critical vulnerability in
Dovecot and Pigeonhole.
---
Open-Xchange Security Advisory 2019-08-14
Product: Dovecot
Vendor: OX Software GmbH
Internal reference: DOV-3278
Vulnerability type: Improper input validation (CWE-20)
Vulnerable version: All
15 matches
Mail list logo