vulnerability
Arch Linux: Denial of service (CVE-2019-10691)
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 5 | (AV:N/AC:L/Au:N/C:N/I:N/A:P) | Apr 24, 2019 | Jul 11, 2025 | Nov 27, 2025 |
Severity
5
CVSS
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
Published
Apr 24, 2019
Added
Jul 11, 2025
Modified
Nov 27, 2025
Description
JSON encoder in Dovecot 2.3 incorrectly assert-crashes when encountering invalid UTF-8 characters. This can be used to crash dovecot in two ways. Attacker can repeatedly crash Dovecot authentication process by logging in using invalid UTF-8 sequence in username. This requires that auth policy is enabled. Crash can also occur if OX push notification driver is enabled and an email is delivered with invalid UTF-8 sequence in From or Subject header. In 2.2, malformed UTF-8 sequences are forwarded "as-is", and thus do not cause problems in Dovecot itself. Target systems should be checked for possible problems in dealing with such sequences.
Solution
arch-linux-upgrade-latest
References
- CVE-2019-10691
- https://attackerkb.com/topics/CVE-2019-10691
- URL-http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00000.html
- URL-http://www.openwall.com/lists/oss-security/2019/04/18/3
- URL-https://dovecot.org/list/dovecot-news/2019-April/000406.html
- URL-https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QHFZ5OWRIZGIWZJ5PTNVWWZNLLNH4XYS/
- URL-https://security.archlinux.org/ASA-201904-9
- URL-https://security.gentoo.org/glsa/201908-29
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.