|Summary:||<net-mail/dovecot-1.2.11: CPU exhaustion DoS through large header (CVE-2010-0745)|
|Product:||Gentoo Security||Reporter:||Tomás Touceda (RETIRED) <chiiph>|
|Component:||Vulnerabilities||Assignee:||Gentoo Security <security>|
|Severity:||minor||CC:||bugs+gentoo, eras, net-mail+disabled, patrick|
|Package list:||Runtime testing required:||---|
|Bug Depends on:||313787|
|Bug Blocks:||286844, 293954|
Description Tomás Touceda (RETIRED) 2010-04-10 15:31:05 UTC
This problem is only present with versions 1.2.x and it's fixed in 1.2.11: - mbox: Message header reading was unnecessarily slow. Fetching a huge header could have resulted in Dovecot eating a lot of CPU. Also searching messages was much slower than necessary. - mbox, dbox, cydir: Mail root directory was created with 0770 permissions, instead of 0700. - maildir: Reading uidlist could have ended up in an infinite loop. - IMAP IDLE: v1.2.7+ caused extra load by checking changes every 0.5 seconds after a change had occurred in mailbox Is it ok for version 1.2.11 to go stable?
Comment 1 Eray Aslan 2010-04-10 17:16:20 UTC
dovecot-1.2.11-r1 is ready for stable. Only concern is it was committed to the tree on April 7th and this is a minor issue. Advice is welcome on gentoo policy whether this warrents foregoing "30 days before stabilization". Patrick?
Comment 2 Jeremy Olexa (darkside) (RETIRED) 2010-04-14 04:50:14 UTC
(In reply to comment #1) > Advice is welcome on gentoo policy whether this warrents foregoing "30 days > before stabilization". Patrick? Eray, security issues should not wait. I see there is also bug 314103.
Comment 3 Eray Aslan 2010-04-14 14:31:18 UTC
Fair enough. Arches, please test and mark stable: =net-mail/dovecot-1.2.11-r1 Target keywords : "alpha amd64 sparc x86"
Comment 4 Jeremy Olexa (darkside) (RETIRED) 2010-04-14 14:41:34 UTC
*** Bug 314103 has been marked as a duplicate of this bug. ***
Comment 5 Jeremy Olexa (darkside) (RETIRED) 2010-04-14 15:00:15 UTC
x86 team: Stable host, upgraded to 1.2.11-r1 with no issues in my mail setup.
Comment 6 Christian Faulhammer (RETIRED) 2010-04-14 17:03:31 UTC
stable x86, thanks Jeremy, interested in a position as x86 AT? :)
Comment 7 Benjamin Börngen-Schmidt 2010-04-16 12:00:07 UTC
No problems so far on an amd64 platform
Comment 8 Markus Meier 2010-04-18 11:57:39 UTC
Comment 9 Stefan Behte (RETIRED) 2010-05-03 09:45:03 UTC
Comment 10 Raúl Porcel (RETIRED) 2010-05-07 18:21:41 UTC
Comment 11 Stefan Behte (RETIRED) 2010-05-22 11:05:37 UTC
All arches done. Vote required, I vote NO.
Comment 12 Dustin Polke 2010-06-06 08:56:01 UTC
arm has keyworded dovecot-1.2.11-r1 as well. Please stabilize too. Thanks.
Comment 13 Alex Legler (RETIRED) 2010-06-06 09:04:39 UTC
(In reply to comment #12) > arm has keyworded dovecot-1.2.11-r1 as well. Please stabilize too. Thanks. > The package was never stable, NACK.
Comment 14 Jeremy Olexa (darkside) (RETIRED) 2010-07-14 16:03:37 UTC
What is happening with ppc? They are still stuck at 1.1.19
Comment 15 Joe Jezak (RETIRED) 2010-07-18 20:46:32 UTC
I've marked the ppc builds ~ppc. In a few days, I'll mark the requested ebuild ppc stable, quickly due to the security issue. Sorry for the delay.
Comment 16 Stefan Behte (RETIRED) 2010-08-01 12:44:42 UTC
Comment 17 Joe Jezak (RETIRED) 2010-08-11 21:33:22 UTC
Sorry, I forgot about this. Marked ppc stable.
Comment 18 Tobias Heinlein (RETIRED) 2010-08-14 14:56:51 UTC
I vote YES though.
Comment 19 Tim Sammut (RETIRED) 2010-11-18 20:38:14 UTC
GLSA Vote: Yes, with 286844.
Comment 20 GLSAMaker/CVETool Bot 2011-10-10 20:25:15 UTC
This issue was resolved and addressed in GLSA 201110-04 at http://security.gentoo.org/glsa/glsa-201110-04.xml by GLSA coordinator Stefan Behte (craig).