CVE-2019-11500 — dovecot - security update

Description

In Dovecot before 2.2.36.4 and 2.3.x before 2.3.7.2 (and Pigeonhole before 0.5.7.2), protocol processing can fail for quoted strings. This occurs because '\0' characters are mishandled, and can lead to out-of-bounds writes and remote code execution.

How to fix CVE-2019-11500

To remediate CVE-2019-11500, upgrade the affected package to a fixed version below.

Alpine/dovecot—upgrade to 2.3.7.2-r0 or later
—upgrade to 1:2.3.7.2-1 or later
—upgrade to 1:2.2.13-12~deb8u7 or later
—upgrade to 1:2.2.27-3+deb9u5 or later

Is CVE-2019-11500 being exploited?

Moderate — EPSS is 38.3%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (4)

from 0, < 2.3.7.2-r0
from 0, < 1:2.3.7.2-1
from 0, < 1:2.2.13-12~deb8u7
from 0, < 1:2.2.27-3+deb9u5

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (2)

ADVISORYsecurity.alpinelinux.org/vuln/CVE-2019-11500
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2019-11500