Summary: | <net-mail/dovecot-2.2.13-r1: Denial of Service (CVE-2014-3430) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | eras, hanno, net-mail+disabled |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.openwall.com/lists/oss-security/2014/05/09/4 | ||
Whiteboard: | B3 [glsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 501600 | ||
Bug Blocks: |
Description
Agostino Sarubbo
2014-05-10 07:49:45 UTC
+*dovecot-2.2.13 (12 May 2014) + + 12 May 2014; Eray Aslan <eras@gentoo.org> +dovecot-2.2.13.ebuild, + +files/dovecot-10-ssl.patch: + Security bump - bug #509954 + (In reply to Eray Aslan from comment #1) > +*dovecot-2.2.13 (12 May 2014) > + > + 12 May 2014; Eray Aslan <eras@gentoo.org> +dovecot-2.2.13.ebuild, > + +files/dovecot-10-ssl.patch: > + Security bump - bug #509954 > + ready to go stable? CVE-2014-3430 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3430): Dovecot 1.1 before 2.2.13 and dovecot-ee before 2.1.7.7 and 2.2.x before 2.2.12.12 does not properly close old connections, which allows remote attackers to cause a denial of service (resource consumption) via an incomplete SSL/TLS handshake for an IMAP/POP3 connection. Arches, please test and mark stable: =net-mail/dovecot-2.2.13-r1 Target Keywords: amd64 arm hppa ia64 x86 =app-arch/lz4-0_p106-r1 will also have to be stabilized as a dependency. Thank you. Stable for HPPA. amd64 stable Ago, please test and mark stable =net-mail/dovecot-2.2.13-r1. Adding back amd64. Thank you. amd64/x86 stable ia64 stable arm stable, all arches done. Arches, Thank you for your work Maintainer(s), please drop the vulnerable version. GLSA Vote: Yes YES too, request filed. In the mean time, ~alpha ~ppc and ~ppc64 were added to keywords and need to be stabilized as well. I am assuming that we want to keep track of that in this bug as well (if not, let me know). Arches, please test and mark stable =net-mail/dovecot-2.2.13-r1. Thank you. (In reply to Eray Aslan from comment #13) > In the mean time, ~alpha ~ppc and ~ppc64 were added to keywords and need to > be stabilized as well. I am assuming that we want to keep track of that in > this bug as well (if not, let me know). > > Arches, please test and mark stable =net-mail/dovecot-2.2.13-r1. Thank you. the arches mentioned are not stable arches, and have not been stable before. If you would like to make them stable in the future. Please file a separate stabilization bug for them. (In reply to Yury German from comment #14) > the arches mentioned are not stable arches, and have not been stable before. I'll assume that you are mixing up the packages. alpha, ppc and ppc64 are stable arches and they are keyworded stable for net-mail/dovecot. Sorry... was simply going from current versions in tree, and did not look in to the masked 2.2.9 version. Setting back to stable request. Arches, please test and mark stable: =net-mail/dovecot-2.2.13-r1 Target Keywords : "alpha ppc ppc64" ppc stable ppc64 stable alpha stable. Maintainer(s), please cleanup. Security, please vote. We already have a GLSA draft for this ready. Cleanup already done. Cant punt net-mail/dovecot-2.2.9 for now as doing so would break the stable tree. See bugs #501600 #519952 (In reply to Eray Aslan from comment #21) > Cleanup already done. Cant punt net-mail/dovecot-2.2.9 for now as doing so > would break the stable tree. See bugs #501600 #519952 Unless a (i) patch for the vulnerability is backported to that version, (ii) it is package.masked, or (iii) it is removed; cleanup is not done. (In reply to Kristian Fiskerstrand from comment #22) > (In reply to Eray Aslan from comment #21) > > Cleanup already done. Cant punt net-mail/dovecot-2.2.9 for now as doing so > > would break the stable tree. See bugs #501600 #519952 > > Unless a (i) patch for the vulnerability is backported to that version, (ii) > it is package.masked, or (iii) it is removed; cleanup is not done. @maintainers, ^^ ping This issue was resolved and addressed in GLSA 201412-03 at http://security.gentoo.org/glsa/glsa-201412-03.xml by GLSA coordinator Kristian Fiskerstrand (K_F). @maintainers: Please close this bug once cleanup is done, we're done from Security. For Cleanup bug 501600 i set as a dependency. Since stabilization will be required for: alpha, ia64, and potentially spark. Please open a separate bug for the stabilization and set as blocker of this bug for cleanup purposes. (In reply to Yury German from comment #25) > For Cleanup bug 501600 i set as a dependency. > > > spark spark = sparc (Auto correction taking over). Maintainer(s), please re-evaluate if 2.2.9 and 2.2.13 can now be dropped. commit 169b6e23ed1fe39812deef35fc9f3002aa5ff9e3 Author: Sergey Popov <pinkbyte@gentoo.org> Date: Sat Oct 24 18:55:42 2015 +0300 net-mail/dovecot: drop old vulnerable versions Gentoo-Bug: 509954 Package-Manager: portage-2.2.20 Old versions were purged. |