| Summary: | <net-mail/dovecot-2.2.16-r1: remote DoS on TLS connections (CVE-2015-3420) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | minor | CC: | eras, hanno, net-mail+disabled |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://www.openwall.com/lists/oss-security/2015/04/26/3 | ||
| Whiteboard: | B3 [noglsa/cve] | ||
| Package list: | Runtime testing required: | --- | |
Here's the commit: http://hg.dovecot.org/dovecot-2.2/rev/86f535375750 +*dovecot-2.2.16-r1 (28 Apr 2015) + + 28 Apr 2015; Eray Aslan <eras@gentoo.org> +dovecot-2.2.16-r1.ebuild, + +files/CVE-2015-3420.patch: + Security bump - bug #547872 + Arches, please test and mark stable =net-mail/dovecot-2.2.16-r1. Thank you. Target keywords = alpha amd64 arm hppa ia64 ppc ppc64 x86 Stable for HPPA PPC64. amd64 stable ia64 stable ppc stable x86 stable arm stable alpha stable Arches, Thank you for your work. Maintainer(s), please drop the vulnerable version(s). Security Please Vote. GLSA Vote: No CVE-2015-3420 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3420): ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. ** TEMPORARY ** Dovecot (2.2.16) imap/pop3 server has an issue that handshake failures will lead to a crash of the login process. Please cleanup net-mail/dovecot-2.2.9 (In reply to Yury German from comment #12) > Please cleanup net-mail/dovecot-2.2.9 will do once bug #501600 is resolved GLSA Vote: Yes GLSA vote: No Maintainer(s), Thank you for you for cleanup. Thank you all. Closing as noglsa. |
From ${URL} : The current Dovecot (2.2.16) imap/pop3 server has an issue that handshake failures will lead to a crash of the login process. An example where this is triggered is if the server is configured to not allow SSLv3 connections and a client tries to connect with SSLv3 only. The reason is that the error handling routine will try to finish the handshake and that will crash. Details here: http://dovecot.org/pipermail/dovecot/2015-April/100618.html I had created a patch, one of the dovecot devs created a more thorough patch that will probably catch more error states properly: http://dovecot.org/tmp/diff (url likely not stable) Nothing is applied yet I think. I think this deserves a CVE. There is a related issue in openssl: It will crash instead of throwing an error if one tries to use a connection context that already failed. One could argue that this is not an openssl issue, because apps need to properly check errors. Matt Caswell has created a patch to let openssl handle these situations more gracefully: https://rt.openssl.org/Ticket/Display.html?id=3818&user=guest&pass=guest @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.