[VIM] Dovecot 'LIST' Command Denial of Service Vulnerability
George Theall
gtheall at tenable.com
Wed Aug 14 14:47:38 CDT 2013
On Aug 14, 2013, at 2:25 PM, Dinesh Theerthagiri <Dinesh_Theerthagiri at symantec.com> wrote:
> Hey,
>
> You are right BID 61763 has a wrong CVE number (CVE-2013-2111). Now we corrected by removing the CVE number.
Thanks
> We consider 'LIST' command as DOS vulnerability because of below reference:
> http://www.dovecot.org/list/dovecot-news/2013-August/000261.html
Unfortunately, that doesn't provide details about what exactly is crashing. According to http://www.openwall.com/lists/oss-security/2013/08/14/6, an attacker can only cause his own session to crash (at least unless Dovecot was configured in a non-recommended way). So how is that a vulnerability?
>
>
>
> Thanks,
> T.Dinesh
>
> -----Original Message-----
> From: vim-bounces at attrition.org [mailto:vim-bounces at attrition.org] On Behalf Of George Theall
> Sent: 14 August 2013 23:22
> To: Vulnerability Information Managers
> Subject: [VIM] Dovecot 'LIST' Command Denial of Service Vulnerability
>
> Narayan / Venkat / Rob : Why does the newly issued BID 61763 reference CVE-2013-2111? According to http://www.openwall.com/lists/oss-security/2013/05/24/1, that CVE was assigned for the APPEND parameter DoS fixed in Dovecot 2.2.2 and is referenced already in BID 60052.
>
> Also, is this new BID even for an issue that's a vulnerability? See, for example, http://www.openwall.com/lists/oss-security/2013/08/14/6.
>
> George
> --
> theall at tenable.com
>
George
--
theall at tenable.com
More information about the VIM
mailing list