Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.3290 [DLA 1901-1] dovecot security update 30 August 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: dovecot Publisher: Debian Operating System: Debian GNU/Linux 8 Impact/Access: Execute Arbitrary Code/Commands -- Existing Account Denial of Service -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2019-11500 Reference: ESB-2019.3269 ESB-2019.3261 Original Bulletin: https://lists.debian.org/debian-lts-announce/2019/08/msg00035.html - --------------------------BEGIN INCLUDED TEXT-------------------- [DLA 1901-1] dovecot security update Package : dovecot Version : 1:2.2.13-12~deb8u7 CVE ID : CVE-2019-11500 Nick Roessler and Rafi Rubin discovered that the IMAP and ManageSieve protocol parsers in the Dovecot email server do not properly validate input (both pre- and post-login). A remote attacker can take advantage of this flaw to trigger out of bounds heap memory writes, leading to information leaks or potentially the execution of arbitrary code. For Debian 8 "Jessie", this problem has been fixed in version 1:2.2.13-12~deb8u7. We recommend that you upgrade your dovecot packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXWhf5WaOgq3Tt24GAQi7nw/+KnC/NpxbUkxyD+yJY0P7RiRRc4foz8Hs GBwezY25qKFZLwgfEI/WFIUfH/oyLmpMX/YQFm2uomcvxS2sd3jYF0vJFbR5xj2j 4M5hK+gzC9jd/lp/IZxTLc60OhALcRuZ3+qf/bkTKLgJGQ9XBfj82+xN89jq9w8+ Xex5NYiZnV+8p3YAFc/HLV9Khjb/j85F9TzzaIwqmpe67i2P8z0bg5IJB5/0OcRA bcxGhPLadfzRgijbTCHKUA9Htw08fn24E85OXPLXWfjWWTRjsqgpQOF0JTS4Ao7m NBZtOM3ndgbwWDCRC5eHp9/8jlamC6yae89sJt4oKHpijypyuHDqgT0aZwbMhZWR YHIbDfSW6mhPyQE2sHm3kph7teqN4rHYa5rn08l9Y0l6hYUfhqJ/8+PNfpiUIzk2 65VnYubaLm4mnFWCsk9eUrNtEbm9SDG+IT69vpva0mn/r1hvZuVzrEVoqEsrJ+Vo 87QbMNZkepnomnD6u+8gsX4H+vJ4VtiGW75dLtJP/rabCM61HnFAc8NQed+7PWC7 GkEfd4zF5FpMAT9kgeKDAC/vK8mgpo/xzJxlOPUcx87mL3FsHRGhKFAI4Q0OIzmS Gn8cTh9NIzNpkR2rzqFR/dUmaFN9nzLgJV2gZ9WJnHIwxtE6/UKHcZokxraNP8Jh F/CSsbaM5Qw= =YiNz -----END PGP SIGNATURE-----