Total vulnerabilities in the database
Dovecot 2.0.x before 2.0.16, when ssl or starttls is enabled and hostname is used to define the proxy destination, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a valid certificate for a different hostname.
| Software | From | Fixed in |
|---|---|---|
| dovecot / dovecot | 2.0.9 | 2.0.9.x |
| dovecot / dovecot | 2.0.14 | 2.0.14.x |
| dovecot / dovecot | 2.0.7 | 2.0.7.x |
| dovecot / dovecot | 2.0.12 | 2.0.12.x |
| dovecot / dovecot | 2.0.4 | 2.0.4.x |
| dovecot / dovecot | 2.0.2 | 2.0.2.x |
| dovecot / dovecot | 2.0.1 | 2.0.1.x |
| dovecot / dovecot | 2.0.10 | 2.0.10.x |
| dovecot / dovecot | 2.0.11 | 2.0.11.x |
| dovecot / dovecot | 2.0.13 | 2.0.13.x |
| dovecot / dovecot | 2.0.8 | 2.0.8.x |
| dovecot / dovecot | 2.0.3 | 2.0.3.x |
| dovecot / dovecot | 2.0.0 | 2.0.0.x |
| dovecot / dovecot | 2.0.15 | 2.0.15.x |
| dovecot / dovecot | 2.0.5 | 2.0.5.x |
| dovecot / dovecot | 2.0.6 | 2.0.6.x |