Summary: | <net-mail/dovecot-2.2.27: remote crash when auth-policy component is activated | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | eras, hanno, net-mail+disabled |
Priority: | Normal | Flags: | stable-bot:
sanity-check+
|
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.openwall.com/lists/oss-security/2016/12/02/4 | ||
Whiteboard: | C3 [noglsa cve] | ||
Package list: |
=net-mail/dovecot-2.2.27
=app-text/libexttextcat-3.4.4
|
Runtime testing required: | --- |
Bug Depends on: | |||
Bug Blocks: | 615264 |
Description
Agostino Sarubbo
2016-12-02 13:49:12 UTC
@ Maintainer(s): Dovecot v2.2.27 is now released, see http://dovecot.org/list/dovecot-news/2016-December/000333.html From announcement: > Note that the download URLs are now https with a certificate from Let's Encrypt. So you can also adjust SRC_URI to use HTTPS. And I am not convinced that we aren't affected. According to the advisory, > Affected version(s): 2.2.25.1 up to 2.2.26.1 We have v2.2.25. But if you see the fixes, https://github.com/dovecot/core/commit/1f2c35da2b96905bec6e45f88af0f33ee63789e6 https://github.com/dovecot/core/commit/2c3f37672277b1f73f84722802aaa0ab1ab3e413 then you don't see one of these files touched between v2.2.25 and v2.2.25.1, see https://github.com/dovecot/core/compare/2.2.25...2.2.25.1 So if v2.2.25.1 is vulnerable, I would expect that our v2.2.25 is affected as well. I'll ping upstream to ask for clarification. Upstream replied: Their advisory is wrong and previous versions (including our v2.2.25) are affected! @ Maintainer(s): Please bump to >=net-mail/dovecot-2.2.27 Arches, please test and mark stable =net-mail/dovecot-2.2.27 Target Keywords = alpha amd64 arm hppa ppc ppc64 ~s390 x86 Alpha, arm, hppa, ppc and ppc64 will need to stabilize =app-text/libexttextcat-3.4.4 as well. It is as an optional dependency via textcat USEFLAG Stable on alpha. amd64 stable x86 stable arm stable Shouldn't #601880 block stabilization? (In reply to Nick Wallingford from comment #8) > Shouldn't #601880 block stabilization? No, this is a libressl problem and libressl has no security coverage in Gentoo at the moment (i.e. no stable ebuild) so we don't care. Also, maintainer(s) can always add a patch which fixes a compilation problem without losing stable keywords. So no need to block stabilization. Stable for HPPA. ppc stable ppc64 stable. Maintainer(s), please cleanup. Security, please vote. Can't remove =net-mail/dovecot-2.2.19 without breaking the tree for ia64 mips sh and sparc (see bug #564484) Rest punted from the tree. (In reply to Eray Aslan from comment #13) > Can't remove =net-mail/dovecot-2.2.19 without breaking the tree for ia64 > mips sh and sparc (see bug #564484) > > Rest punted from the tree. Thanks for the info. Once it is able to security masked or cleaned just let us know. GLSA Vote: No Why was ia64/sparc not CC'ed for stable here? I missed that as well, but unsure of the reasoning. (In reply to Aaron Bauman from comment #16) > Why was ia64/sparc not CC'ed for stable here? I missed that as well, but > unsure of the reasoning. dovecot dropped keywords on ia64 and sparc in the past and is awaiting re-keywording, see depending bug 564484. @maintainer(s), please consider dropping keywords or masking the old version. Thanks. =net-mail/dovecot-2.2.19 is only for ia64/sparc which are not security supported. No other arches will be impacted with the ebuild being in place. |