CVE-2019-19722

Published: 13 December 2019

In Dovecot before 2.3.9.2, an attacker can crash a push-notification driver with a crafted email when push notifications are used, because of a NULL Pointer Dereference. The email must use a group address as either the sender or the recipient.

Priority

Medium

CVSS 3 base score: 5.3

Status

Package Release Status
dovecot
Launchpad, Ubuntu, Debian
Upstream
Released (2.3.9.2)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(1:2.2.33.2-1ubuntu4.5)
Ubuntu 16.04 ESM (Xenial Xerus) Not vulnerable
(1:2.2.22-1ubuntu2.12)
Ubuntu 14.04 ESM (Trusty Tahr) Not vulnerable
(1:2.2.9-1ubuntu2.6)
Patches:
Upstream: https://github.com/dovecot/core/commit/393a8cabf4dad893bf2ec60bf96cfde7a0c58432
Upstream: https://github.com/dovecot/core/commit/1307766b6f5d97341a47376657d342bcefd10f1b
Upstream: https://github.com/dovecot/core/commit/82c948db496cdc2d25b40eb8613c1eaa5c622384