CVE-2024-25584

Publication date 6 September 2024

Last updated 11 September 2024

Ubuntu priority

Dovecot accepts dot LF DOT LF symbol as end of DATA command. RFC requires that it should always be CR LF DOT CR LF. This causes Dovecot to convert single mail with LF DOT LF in middle, into two emails when relaying to SMTP. Dovecot will split mail with LF DOT LF into two mails. Upgrade to latest released version. No publicly available exploits are known.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
dovecot	24.04 LTS noble	Not affected
	22.04 LTS jammy	Not affected
	20.04 LTS focal	Not affected
	18.04 LTS bionic	Not affected
	16.04 LTS xenial	Not affected
	14.04 LTS trusty	Not affected

How can I get the fixes?
What do statuses mean?

Notes

mdeslaur

This isn't an issue in Dovecot, it is an issue in OX Dovecot Pro core

References

MITRE
NVD
Launchpad
Debian

Other references

https://www.cve.org/CVERecord?id=CVE-2024-25584
https://documentation.open-xchange.com/dovecot/security/advisories/html/2024/oxdc-adv-2024-0001.html