Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 509954 (CVE-2014-3430) - <net-mail/dovecot-2.2.13-r1: Denial of Service (CVE-2014-3430)
Summary: <net-mail/dovecot-2.2.13-r1: Denial of Service (CVE-2014-3430)
Status: RESOLVED FIXED
Alias: CVE-2014-3430
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: B3 [glsa]
Keywords:
Depends on: 501600
Blocks:
  Show dependency tree
 
Reported: 2014-05-10 07:49 UTC by Agostino Sarubbo
Modified: 2016-03-19 07:50 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-05-10 07:49:45 UTC
From ${URL} :

There's an upper limit to how many IMAP/POP3 connections can exist that haven't logged in (and 
separate
limits for post-login). Normally when this limit is reached, the oldest connection gets 
disconnected.
There is of course some potential to try to DoS Dovecot by doing a lot of IMAP/POP3 connections, 
but because
the oldest connection always gets destroyed this requires quite a lot of activity from the 
attacker.

This "destroy oldest connection" however hasn't been working in v1.1+ releases for connections that 
have
started SSL/TLS handshake, but haven't finished it. So an attacker could just do a bunch of TCP
connections to port 993 and leave them hanging around and Dovecot would pretty quickly reach the 
upper
limit without being able to disconnect any of the oldest connections.

Here are patches to fix this:

http://hg.dovecot.org/dovecot-2.2/rev/41622541a7a3
http://hg.dovecot.org/dovecot-2.1/rev/b7ac23b4d339
http://hg.dovecot.org/dovecot-2.0/rev/48f90e7e92dc
http://hg.dovecot.org/dovecot-1.2/rev/8ba4253adc9b
http://hg.dovecot.org/dovecot-1.1/rev/fe0e6550585c

The fix will be in v2.2.13. Maybe also in v2.1.18 if I decide to release it. For older releases you 
need to
patch it yourself.


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Eray Aslan gentoo-dev 2014-05-12 15:28:48 UTC
+*dovecot-2.2.13 (12 May 2014)
+
+  12 May 2014; Eray Aslan <eras@gentoo.org> +dovecot-2.2.13.ebuild,
+  +files/dovecot-10-ssl.patch:
+  Security bump - bug #509954
+
Comment 2 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2014-05-12 17:51:11 UTC
(In reply to Eray Aslan from comment #1)
> +*dovecot-2.2.13 (12 May 2014)
> +
> +  12 May 2014; Eray Aslan <eras@gentoo.org> +dovecot-2.2.13.ebuild,
> +  +files/dovecot-10-ssl.patch:
> +  Security bump - bug #509954
> +

ready to go stable?
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2014-05-16 12:14:13 UTC
CVE-2014-3430 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3430):
  Dovecot 1.1 before 2.2.13 and dovecot-ee before 2.1.7.7 and 2.2.x before
  2.2.12.12 does not properly close old connections, which allows remote
  attackers to cause a denial of service (resource consumption) via an
  incomplete SSL/TLS handshake for an IMAP/POP3 connection.
Comment 4 Eray Aslan gentoo-dev 2014-05-22 17:26:13 UTC
Arches, please test and mark stable:
=net-mail/dovecot-2.2.13-r1
Target Keywords: amd64 arm hppa ia64 x86

=app-arch/lz4-0_p106-r1 will also have to be stabilized as a dependency.  Thank you.
Comment 5 Jeroen Roovers gentoo-dev 2014-05-23 01:04:21 UTC
Stable for HPPA.
Comment 6 Agostino Sarubbo gentoo-dev 2014-05-24 09:04:54 UTC
amd64 stable
Comment 7 Eray Aslan gentoo-dev 2014-05-26 08:41:19 UTC
Ago, please test and mark stable =net-mail/dovecot-2.2.13-r1.  Adding back amd64.  Thank you.
Comment 8 Sergey Popov gentoo-dev 2014-05-28 12:36:06 UTC
amd64/x86 stable
Comment 9 Agostino Sarubbo gentoo-dev 2014-06-08 10:42:04 UTC
ia64 stable
Comment 10 Markus Meier gentoo-dev 2014-08-03 18:20:11 UTC
arm stable, all arches done.
Comment 11 Yury German Gentoo Infrastructure gentoo-dev Security 2014-08-04 00:33:21 UTC
Arches, Thank you for your work
Maintainer(s), please drop the vulnerable version.

GLSA Vote: Yes
Comment 12 Tobias Heinlein (RETIRED) gentoo-dev 2014-08-04 18:58:39 UTC
YES too, request filed.
Comment 13 Eray Aslan gentoo-dev 2014-08-14 09:18:22 UTC
In the mean time, ~alpha ~ppc and ~ppc64 were added to keywords and need to be stabilized as well.  I am assuming that we want to keep track of that in this bug as well (if not, let me know).

Arches, please test and mark stable =net-mail/dovecot-2.2.13-r1.  Thank you.
Comment 14 Yury German Gentoo Infrastructure gentoo-dev Security 2014-08-16 20:02:32 UTC
(In reply to Eray Aslan from comment #13)
> In the mean time, ~alpha ~ppc and ~ppc64 were added to keywords and need to
> be stabilized as well.  I am assuming that we want to keep track of that in
> this bug as well (if not, let me know).
> 
> Arches, please test and mark stable =net-mail/dovecot-2.2.13-r1.  Thank you.

the arches mentioned are not stable arches, and have not been stable before. If you would like to make them stable in the future. Please file a separate stabilization bug for them.
Comment 15 Eray Aslan gentoo-dev 2014-08-18 06:28:17 UTC
(In reply to Yury German from comment #14)
> the arches mentioned are not stable arches, and have not been stable before.

I'll assume that you are mixing up the packages.  alpha, ppc and ppc64 are stable arches and they are keyworded stable for net-mail/dovecot.
Comment 16 Yury German Gentoo Infrastructure gentoo-dev Security 2014-08-19 03:27:37 UTC
Sorry... was simply going from current versions in tree, and did not look in to the masked 2.2.9 version.

Setting back to stable request.

Arches, please test and mark stable:

=net-mail/dovecot-2.2.13-r1

Target Keywords : "alpha ppc ppc64"
Comment 17 Agostino Sarubbo gentoo-dev 2014-08-21 09:53:42 UTC
ppc stable
Comment 18 Agostino Sarubbo gentoo-dev 2014-08-21 09:53:53 UTC
ppc64 stable
Comment 19 Agostino Sarubbo gentoo-dev 2014-08-21 09:54:12 UTC
alpha stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 20 Kristian Fiskerstrand gentoo-dev Security 2014-08-21 10:32:16 UTC
We already have a GLSA draft for this ready.
Comment 21 Eray Aslan gentoo-dev 2014-08-22 05:15:05 UTC
Cleanup already done.  Cant punt net-mail/dovecot-2.2.9 for now as doing so would break the stable tree.  See bugs #501600 #519952
Comment 22 Kristian Fiskerstrand gentoo-dev Security 2014-08-22 15:14:11 UTC
(In reply to Eray Aslan from comment #21)
> Cleanup already done.  Cant punt net-mail/dovecot-2.2.9 for now as doing so
> would break the stable tree.  See bugs #501600 #519952

Unless a (i) patch for the vulnerability is backported to that version, (ii) it is package.masked, or (iii) it is removed; cleanup is not done.
Comment 23 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2014-11-08 07:43:43 UTC
(In reply to Kristian Fiskerstrand from comment #22)
> (In reply to Eray Aslan from comment #21)
> > Cleanup already done.  Cant punt net-mail/dovecot-2.2.9 for now as doing so
> > would break the stable tree.  See bugs #501600 #519952
> 
> Unless a (i) patch for the vulnerability is backported to that version, (ii)
> it is package.masked, or (iii) it is removed; cleanup is not done.

@maintainers, ^^ ping
Comment 24 Kristian Fiskerstrand gentoo-dev Security 2014-12-08 23:14:05 UTC
This issue was resolved and addressed in
GLSA 201412-03 at http://security.gentoo.org/glsa/glsa-201412-03.xml
by GLSA coordinator Kristian Fiskerstrand (K_F).

@maintainers: Please close this bug once cleanup is done, we're done from Security.
Comment 25 Yury German Gentoo Infrastructure gentoo-dev Security 2014-12-26 21:18:26 UTC
For Cleanup bug 501600 i set as a dependency. 

Since stabilization will be required for: alpha, ia64, and potentially spark. Please open a separate bug for the stabilization and set as blocker of this bug for cleanup purposes.
Comment 26 Yury German Gentoo Infrastructure gentoo-dev Security 2014-12-26 21:23:56 UTC
(In reply to Yury German from comment #25)
> For Cleanup bug 501600 i set as a dependency. 
> 
> 
> spark

spark = sparc (Auto correction taking over).
Comment 27 Yury German Gentoo Infrastructure gentoo-dev Security 2015-03-03 14:08:07 UTC
Maintainer(s), please re-evaluate if 2.2.9 and 2.2.13 can now be dropped.
Comment 28 Sergey Popov gentoo-dev 2015-10-24 15:56:12 UTC
commit 169b6e23ed1fe39812deef35fc9f3002aa5ff9e3
Author: Sergey Popov <pinkbyte@gentoo.org>
Date:   Sat Oct 24 18:55:42 2015 +0300

    net-mail/dovecot: drop old vulnerable versions
    
    Gentoo-Bug: 509954
    
    Package-Manager: portage-2.2.20
Comment 29 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-03-19 07:50:36 UTC
Old versions were purged.