Michal Hlavinka

**Name of the Vulnerable Software and Affected Versions** Dovecot versions 2.3.9 through 2.3.9.2 **Description** The issue is related to the mishandling of truncated UTF-8 data in command parameters by lib-smtp in submission-login and lmtp. This can be demonstrated by the unauthenticated triggering of a submission-login infinite loop. **Recommendations** For Dovecot versions 2.3.9 through 2.3.9.2, update to version 2.3.9.3 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Dovecot versions prior to 2.3.9.2 **Description** The issue allows an attacker to crash a push-notification driver with a crafted email when push notifications are used, due to a NULL Pointer Dereference. This can be achieved by using a group address as either the sender or the recipient in the email. **Recommendations** For versions prior to 2.3.9.2, update to version 2.3.9.2 or later to resolve the issue. As a temporary workaround, consider disabling push notifications until a patch is available. Restrict access to the push-notification driver to minimize the risk of exploitation.