Ubuntu update for Dovecot

Published: 2019-04-30 | Updated: 2019-05-06

Risk	Medium
Patch available	YES
Number of vulnerabilities	2
CVE-ID	CVE-2019-11494 CVE-2019-11499
CWE-ID	CWE-476 CWE-399
Exploitation vector	Network
Public exploit	N/A
Vulnerable software Subscribe	dovecot (Ubuntu package) Operating systems & Components / Operating system package or component
Vendor	Canonical Ltd.

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

1) NULL pointer dereference

EUVDB-ID: #VU18399

Risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-11494

CWE-ID: CWE-476 - NULL Pointer Dereference

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error within Submission-login when processing authentication. A remote attacker can unexpectedly abort the authentication process by disconnecting from the server during authentication and cause the software to crash.

Mitigation

Update the affected packages.

Ubuntu 19.04: dovecot-core - 1:2.3.4.1-1ubuntu2.2; dovecot-submissiond - 1:2.3.4.1-1ubuntu2.2
Ubuntu 18.10: dovecot-core - 1:2.3.2.1-1ubuntu3.4; dovecot-submissiond - 1:2.3.2.1-1ubuntu3.4

Vulnerable software versions

dovecot (Ubuntu package): 1:2.3.2.1-1ubuntu3.1 - 1:2.3.4.1-1ubuntu2.1

External links

http://usn.ubuntu.com/3961-1/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Resource management error

EUVDB-ID: #VU18400