Date: Thu, 13 Feb 2020 00:18:20 +0000 (UTC) From: Larry Rosenman <ler@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r525986 - head/security/vuxml Message-ID: <202002130018.01D0IKvX060999@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: ler Date: Thu Feb 13 00:18:19 2020 New Revision: 525986 URL: https://svnweb.freebsd.org/changeset/ports/525986 Log: security/vuxml: dovecot vulnerabilities Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Wed Feb 12 23:45:59 2020 (r525985) +++ head/security/vuxml/vuln.xml Thu Feb 13 00:18:19 2020 (r525986) @@ -58,6 +58,48 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1"> + <vuln vid="74db0d02-b140-4c32-aac6-1f1e81e1ad30"> + <topic>dovecot -- multiple vulnerabilities</topic> + <affects> + <package> + <name>dovecot</name> + <range><lt>2.3.9.3</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Aki Tuomi reports:</p> + <blockquote cite="https://dovecot.org/pipermail/dovecot-news/2020-February/000431.html"> + <p>lib-smtp doesn't handle truncated command parameters properly, resulting +in infinite loop taking 100% CPU for the process. This happens for LMTP +(where it doesn't matter so much) and also for submission-login where +unauthenticated users can trigger it. </p> + </blockquote> + <p>Aki also reports:</p> + <blockquote cite="https://dovecot.org/pipermail/dovecot-news/2020-February/000430.html"> + <p>Snippet generation crashes if: + + message is large enough that message-parser returns multiple body +blocks + The first block(s) don't contain the full snippet (e.g. full of +whitespace) + input ends with '>' + </p> + </blockquote> + </body> + </description> + <references> + <url>https://dovecot.org/pipermail/dovecot-news/2020-February/000430.html</url> + <url>https://dovecot.org/pipermail/dovecot-news/2020-February/000431.html</url> + <cvename>CVE-2020-7046</cvename> + <cvename>CVE-2020-7967</cvename> + </references> + <dates> + <discovery>2020-01-14</discovery> + <entry>2020-02-13</entry> + </dates> + </vuln> + <vuln vid="9d6a48a7-4dad-11ea-8a1d-7085c25400ea"> <topic>grub2-bhyve -- multiple privilege escalations</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202002130018.01D0IKvX060999>