FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-11-23 05:42:14 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML ID	Description
abaaecda-ea16-43e2-bad0-d34a9ac576b1	Dovecot -- improper input validation Aki Tuomi reports: Vulnerability Details: IMAP and ManageSieve protocol parsers do not properly handle NUL byte when scanning data in quoted strings, leading to out of bounds heap memory writes. Risk: This vulnerability allows for out-of-bounds writes to objects stored on the heap up to 8096 bytes in pre-login phase, and 65536 bytes post-login phase, allowing sufficiently skilled attacker to perform complicated attacks that can lead to leaking private information or remote code execution. Abuse of this bug is very difficult to observe, as it does not necessarily cause a crash. Attempts to abuse this bug are not directly evident from logs. Discovery 2019-04-13 Entry 2019-08-28 dovecot < 2.3.7.2 dovecot-pigeonhole < 0.5.7.2 https://dovecot.org/pipermail/dovecot/2019-August/116874.html CVE-2019-11500
f3fc2b50-d36a-11eb-a32c-00a0989e4ec1	dovecot-pigeonhole -- Sieve excessive resource usage Dovecot team reports reports: Sieve interpreter is not protected against abusive scripts that claim excessive resource usage. Fixed by limiting the user CPU time per single script execution and cumulatively over several script runs within a configurable timeout period. Sufficiently large CPU time usage is summed in the Sieve script binary and execution is blocked when the sum exceeds the limit within that time. The block is lifted when the script is updated after the resource usage times out. Discovery 2020-09-23 Entry 2021-06-22 dovecot-pigeonhole < 0.5.15 CVE-2020-28200 https://dovecot.org/pipermail/dovecot-news/2021-June/000460.html

VuXML ID

Description

abaaecda-ea16-43e2-bad0-d34a9ac576b1

Dovecot -- improper input validation

Aki Tuomi reports:

Vulnerability Details: IMAP and ManageSieve protocol parsers do not properly handle NUL byte when scanning data in quoted strings, leading to out of bounds heap memory writes. Risk: This vulnerability allows for out-of-bounds writes to objects stored on the heap up to 8096 bytes in pre-login phase, and 65536 bytes post-login phase, allowing sufficiently skilled attacker to perform complicated attacks that can lead to leaking private information or remote code execution. Abuse of this bug is very difficult to observe, as it does not necessarily cause a crash. Attempts to abuse this bug are not directly evident from logs.

Discovery 2019-04-13
Entry 2019-08-28
dovecot

< 2.3.7.2

dovecot-pigeonhole

< 0.5.7.2

https://dovecot.org/pipermail/dovecot/2019-August/116874.html
CVE-2019-11500

f3fc2b50-d36a-11eb-a32c-00a0989e4ec1

dovecot-pigeonhole -- Sieve excessive resource usage

Dovecot team reports reports:

Sieve interpreter is not protected against abusive scripts that claim excessive resource usage. Fixed by limiting the user CPU time per single script execution and cumulatively over several script runs within a configurable timeout period. Sufficiently large CPU time usage is summed in the Sieve script binary and execution is blocked when the sum exceeds the limit within that time. The block is lifted when the script is updated after the resource usage times out.

Discovery 2020-09-23
Entry 2021-06-22
dovecot-pigeonhole

< 0.5.15

CVE-2020-28200
https://dovecot.org/pipermail/dovecot-news/2021-June/000460.html