FS#57688 - [dovecot] Multiple CVEs
Attached to Project:
Community Packages
Opened by Karol Babioch (kbabioch) - Thursday, 01 March 2018, 11:02 GMT
Last edited by Johannes Löthberg (demize) - Monday, 05 March 2018, 13:56 GMT
Opened by Karol Babioch (kbabioch) - Thursday, 01 March 2018, 11:02 GMT
Last edited by Johannes Löthberg (demize) - Monday, 05 March 2018, 13:56 GMT
|
Details
Current package (dovecot 2.3.0-2) contains multiple CVEs:
https://www.dovecot.org/list/dovecot-news/2018-February/000371.html * CVE-2017-15130: TLS SNI config lookups may lead to excessive memory usage, causing imap-login/pop3-login VSZ limit to be reached and the process restarted. This happens only if Dovecot config has local_name { } or local { } configuration blocks and attacker uses randomly generated SNI servernames. * CVE-2017-14461: Parsing invalid email addresses may cause a crash or leak memory contents to attacker. For example, these memory contents might contain parts of an email from another user if the same imap process is reused for multiple users. First discovered by Aleksandar Nikolic of Cisco Talos. Independently also discovered by "flxflndy" via HackerOne. * CVE-2017-15132: Aborted SASL authentication leaks memory in login process. |
This task depends upon
Closed by Johannes Löthberg (demize)
Monday, 05 March 2018, 13:56 GMT
Reason for closing: Fixed
Additional comments about closing: 2.3.0.1
Monday, 05 March 2018, 13:56 GMT
Reason for closing: Fixed
Additional comments about closing: 2.3.0.1