Candidate: CVE-2019-19722
CRD: 2019-12-13 10:00:00 UTC
PublicDate: 2019-12-13 17:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19722
 https://github.com/dovecot/core/commit/393a8cabf4dad893bf2ec60bf96cfde7a0c58432
 https://github.com/dovecot/core/commit/1307766b6f5d97341a47376657d342bcefd10f1b
 https://github.com/dovecot/core/commit/82c948db496cdc2d25b40eb8613c1eaa5c622384
Description:
 In Dovecot before 2.3.9.2, an attacker can crash a push-notification driver
 with a crafted email when push notifications are used, because of a NULL
 Pointer Dereference. The email must use a group address as either the
 sender or the recipient.
Ubuntu-Description:
Notes:
 amurray| Only affects 2.3.9 according to upstream - original fix was
  incomplete so required extra fix in 2.3.9.2 release
Mitigation:
 Disable push notifications
Bugs:
Priority: medium
Discovered-by: Frederik Schwan, Michael Stilkerich
Assigned-to: 
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L [5.3 MEDIUM]


Patches_dovecot:
 upstream: https://github.com/dovecot/core/commit/393a8cabf4dad893bf2ec60bf96cfde7a0c58432
 upstream: https://github.com/dovecot/core/commit/1307766b6f5d97341a47376657d342bcefd10f1b
 upstream: https://github.com/dovecot/core/commit/82c948db496cdc2d25b40eb8613c1eaa5c622384
upstream_dovecot: released (2.3.9.2)
precise/esm_dovecot: not-affected (1:2.0.19-0ubuntu2.2)
trusty_dovecot: ignored (out of standard support)
trusty/esm_dovecot: not-affected (1:2.2.9-1ubuntu2.6)
xenial_dovecot: not-affected (1:2.2.22-1ubuntu2.12)
esm-infra/xenial_dovecot: not-affected (1:2.2.22-1ubuntu2.12)
bionic_dovecot: not-affected (1:2.2.33.2-1ubuntu4.5)
disco_dovecot: not-affected (1:2.3.4.1-1ubuntu2.4)
eoan_dovecot: not-affected (1:2.3.4.1-5ubuntu3)
devel_dovecot: not-affected (1:2.3.7.2-1ubuntu1)