PublicDateAtUSN: 2019-08-28 12:00:00 UTC
Candidate: CVE-2019-11500
CRD: 2019-08-28 12:00:00 UTC
PublicDate: 2019-08-29 14:15:00 UTC
References: 
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11500
 https://ubuntu.com/security/notices/USN-4110-1
 https://ubuntu.com/security/notices/USN-4110-2
 https://ubuntu.com/security/notices/USN-4110-3
 https://ubuntu.com/security/notices/USN-4110-4
Description:
 In Dovecot before 2.2.36.4 and 2.3.x before 2.3.7.2 (and Pigeonhole before
 0.5.7.2), protocol processing can fail for quoted strings. This occurs
 because '\0' characters are mishandled, and can lead to out-of-bounds
 writes and remote code execution.
Ubuntu-Description: 
Notes: 
Bugs:
 https://bugs.launchpad.net/ubuntu/+source/dovecot/+bug/1842007
Priority: high
Discovered-by: Nick Roessler and Rafi Rubin
Assigned-to: leosilva
CVSS:
 nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H [9.8 CRITICAL]


Patches_dovecot:
upstream_dovecot: released (2.3.7.2,2.2.36.4)
precise/esm_dovecot: released (1:2.0.19-0ubuntu2.7)
trusty_dovecot: ignored (out of standard support)
trusty/esm_dovecot: released (1:2.2.9-1ubuntu2.6+esm1)
xenial_dovecot: released (1:2.2.22-1ubuntu2.11)
esm-infra/xenial_dovecot: released (1:2.2.22-1ubuntu2.11)
bionic_dovecot: released (1:2.2.33.2-1ubuntu4.4)
disco_dovecot: released (1:2.3.4.1-1ubuntu2.3)
devel_dovecot: released (1:2.3.4.1-5ubuntu3)