Summary: | <net-mail/dovecot-{2.2.34,2.3.0.1}: multiple vulnerabilities (CVE-2017-{14461,15130}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Thomas Deutschmann (RETIRED) <whissi> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | eras, net-mail+disabled |
Priority: | Normal | Flags: | stable-bot:
sanity-check+
|
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://dovecot.org/list/dovecot-news/2018-February/000370.html | ||
Whiteboard: | B3 [noglsa cve] | ||
Package list: |
net-mail/dovecot-2.2.34
app-text/libexttextcat-3.4.5 ia64
|
Runtime testing required: | --- |
Description
Thomas Deutschmann (RETIRED)
2018-02-26 17:24:32 UTC
* CVE-2017-15130: TLS SNI config lookups may lead to excessive memory usage, causing imap-login/pop3-login VSZ limit to be reached and the process restarted. This happens only if Dovecot config has local_name { } or local { } configuration blocks and attacker uses randomly generated SNI servernames. * CVE-2017-14461: Parsing invalid email addresses may cause a crash or leak memory contents to attacker. For example, these memory contents might contain parts of an email from another user if the same imap process is reused for multiple users. First discovered by Aleksandar Nikolic of Cisco Talos. Independently also discovered by "flxflndy" via HackerOne. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5a2f53f6a6fa9cac9d50615dbaa03e10a784e672 commit 5a2f53f6a6fa9cac9d50615dbaa03e10a784e672 Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2018-02-28 22:15:20 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2018-02-28 22:18:35 +0000 net-mail/dovecot: Bump to fix CVE-2017-14461 & CVE-2017-15130 Bug: https://bugs.gentoo.org/648894 Package-Manager: Portage-2.3.24, Repoman-2.3.6 net-mail/dovecot/Manifest | 2 + net-mail/dovecot/dovecot-2.2.34.ebuild | 290 ++++++++++++++++++++++++++++++++ net-mail/dovecot/dovecot-2.3.0.1.ebuild | 284 +++++++++++++++++++++++++++++++ 3 files changed, 576 insertions(+)} @ Arches, please test and mark stable: =net-mail/dovecot-2.2.34 amd64 stable ia64 stable x86 stable Stable on alpha. arm stable ppc64 stable hppa stable The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=08a79a10ae120407a7b8ac5cdbeca15697505650 commit 08a79a10ae120407a7b8ac5cdbeca15697505650 Author: Sergei Trofimovich <slyfox@gentoo.org> AuthorDate: 2018-06-24 17:27:38 +0000 Commit: Sergei Trofimovich <slyfox@gentoo.org> CommitDate: 2018-06-24 19:35:09 +0000 net-mail/dovecot: stable 2.2.34 for ppc, bug #648894 Bug: https://bugs.gentoo.org/648894 Package-Manager: Portage-2.3.40, Repoman-2.3.9 RepoMan-Options: --include-arches="ppc" net-mail/dovecot/dovecot-2.2.34.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) @maintainer(s), 2.2.19 needs to be purged as it is vulnerable and sh is not a stable arch. sparc has been removed from cc as it has no other stable keywords for previous versions. |