Description: A vulnerability have been reported in Dovecot, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to a double free error in pop3-login and imap-login when processing certain requests and can be exploited to crash the service. Successful exploitation requires that "login_process_per_connection = no" has been set in the configuration file. The vulnerability has been reported in versions prior to 1.0 beta3.
g2boojum: is beta3 suitable for arch stabilisation? or should the fixes be backported?
Stoopid Bugzie forces a comment here.
http://dovecot.org/patches/1.0-auth-crashfix.diff http://dovecot.org/patches/1.0-login-crashfixes.diff
(In reply to comment #1) > g2boojum: is beta3 suitable for arch stabilisation? or should the fixes be > backported? I think beta3 can be stabled.
arches please test and mark stable, thx
DerCorny: Arches should be Cced in order to mark stable :P 1.0_beta3 is the stable target, please test and mark stable if not worse than the previous stable.
Stable on x86; marked stable for Ticho who's at work \(^.^)/
ppc stable
sparc stable.
Alpha done by Stefaan. Thanks mate. Cheers, Ferdy
Ready for GLSA vote The doc is quite explicit that setting login_process_per_connection=no is less secure, so I tend to vote no.
voting no, too
agree with Koon, NO.
Closing without GLSA