CVE-2017-2669

Priority
Description
Dovecot before version 2.2.29 is vulnerable to a denial of service. When
'dict' passdb and userdb were used for user authentication, the username
sent by the IMAP/POP3 client was sent through var_expand() to perform
%variable expansion. Sending specially crafted %variable fields could
result in excessive memory usage causing the process to crash (and
restart), or excessive CPU usage causing all authentications to hang.
Assigned-to
mdeslaur
Notes
tyhicksVulnerable versions: 2.2.26 - 2.2.28
Package
Upstream:needed
Ubuntu 14.04 ESM (Trusty Tahr):not-affected (1:2.2.9-1ubuntu2.1)
Ubuntu 16.04 LTS (Xenial Xerus):not-affected
Patches:
Upstream:https://github.com/dovecot/core/commit/000030feb7a30f193197f1aab8a7b04a26b42735
More Information

Updated: 2020-01-29 19:58:58 UTC (commit 768ceb2fdee6790d707d0f681e1b54916744af1e)