From ${URL} : There's an upper limit to how many IMAP/POP3 connections can exist that haven't logged in (and separate limits for post-login). Normally when this limit is reached, the oldest connection gets disconnected. There is of course some potential to try to DoS Dovecot by doing a lot of IMAP/POP3 connections, but because the oldest connection always gets destroyed this requires quite a lot of activity from the attacker. This "destroy oldest connection" however hasn't been working in v1.1+ releases for connections that have started SSL/TLS handshake, but haven't finished it. So an attacker could just do a bunch of TCP connections to port 993 and leave them hanging around and Dovecot would pretty quickly reach the upper limit without being able to disconnect any of the oldest connections. Here are patches to fix this: http://hg.dovecot.org/dovecot-2.2/rev/41622541a7a3 http://hg.dovecot.org/dovecot-2.1/rev/b7ac23b4d339 http://hg.dovecot.org/dovecot-2.0/rev/48f90e7e92dc http://hg.dovecot.org/dovecot-1.2/rev/8ba4253adc9b http://hg.dovecot.org/dovecot-1.1/rev/fe0e6550585c The fix will be in v2.2.13. Maybe also in v2.1.18 if I decide to release it. For older releases you need to patch it yourself. @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
+*dovecot-2.2.13 (12 May 2014) + + 12 May 2014; Eray Aslan <eras@gentoo.org> +dovecot-2.2.13.ebuild, + +files/dovecot-10-ssl.patch: + Security bump - bug #509954 +
(In reply to Eray Aslan from comment #1) > +*dovecot-2.2.13 (12 May 2014) > + > + 12 May 2014; Eray Aslan <eras@gentoo.org> +dovecot-2.2.13.ebuild, > + +files/dovecot-10-ssl.patch: > + Security bump - bug #509954 > + ready to go stable?
CVE-2014-3430 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3430): Dovecot 1.1 before 2.2.13 and dovecot-ee before 2.1.7.7 and 2.2.x before 2.2.12.12 does not properly close old connections, which allows remote attackers to cause a denial of service (resource consumption) via an incomplete SSL/TLS handshake for an IMAP/POP3 connection.
Arches, please test and mark stable: =net-mail/dovecot-2.2.13-r1 Target Keywords: amd64 arm hppa ia64 x86 =app-arch/lz4-0_p106-r1 will also have to be stabilized as a dependency. Thank you.
Stable for HPPA.
amd64 stable
Ago, please test and mark stable =net-mail/dovecot-2.2.13-r1. Adding back amd64. Thank you.
amd64/x86 stable
ia64 stable
arm stable, all arches done.
Arches, Thank you for your work Maintainer(s), please drop the vulnerable version. GLSA Vote: Yes
YES too, request filed.
In the mean time, ~alpha ~ppc and ~ppc64 were added to keywords and need to be stabilized as well. I am assuming that we want to keep track of that in this bug as well (if not, let me know). Arches, please test and mark stable =net-mail/dovecot-2.2.13-r1. Thank you.
(In reply to Eray Aslan from comment #13) > In the mean time, ~alpha ~ppc and ~ppc64 were added to keywords and need to > be stabilized as well. I am assuming that we want to keep track of that in > this bug as well (if not, let me know). > > Arches, please test and mark stable =net-mail/dovecot-2.2.13-r1. Thank you. the arches mentioned are not stable arches, and have not been stable before. If you would like to make them stable in the future. Please file a separate stabilization bug for them.
(In reply to Yury German from comment #14) > the arches mentioned are not stable arches, and have not been stable before. I'll assume that you are mixing up the packages. alpha, ppc and ppc64 are stable arches and they are keyworded stable for net-mail/dovecot.
Sorry... was simply going from current versions in tree, and did not look in to the masked 2.2.9 version. Setting back to stable request. Arches, please test and mark stable: =net-mail/dovecot-2.2.13-r1 Target Keywords : "alpha ppc ppc64"
ppc stable
ppc64 stable
alpha stable. Maintainer(s), please cleanup. Security, please vote.
We already have a GLSA draft for this ready.
Cleanup already done. Cant punt net-mail/dovecot-2.2.9 for now as doing so would break the stable tree. See bugs #501600 #519952
(In reply to Eray Aslan from comment #21) > Cleanup already done. Cant punt net-mail/dovecot-2.2.9 for now as doing so > would break the stable tree. See bugs #501600 #519952 Unless a (i) patch for the vulnerability is backported to that version, (ii) it is package.masked, or (iii) it is removed; cleanup is not done.
(In reply to Kristian Fiskerstrand from comment #22) > (In reply to Eray Aslan from comment #21) > > Cleanup already done. Cant punt net-mail/dovecot-2.2.9 for now as doing so > > would break the stable tree. See bugs #501600 #519952 > > Unless a (i) patch for the vulnerability is backported to that version, (ii) > it is package.masked, or (iii) it is removed; cleanup is not done. @maintainers, ^^ ping
This issue was resolved and addressed in GLSA 201412-03 at http://security.gentoo.org/glsa/glsa-201412-03.xml by GLSA coordinator Kristian Fiskerstrand (K_F). @maintainers: Please close this bug once cleanup is done, we're done from Security.
For Cleanup bug 501600 i set as a dependency. Since stabilization will be required for: alpha, ia64, and potentially spark. Please open a separate bug for the stabilization and set as blocker of this bug for cleanup purposes.
(In reply to Yury German from comment #25) > For Cleanup bug 501600 i set as a dependency. > > > spark spark = sparc (Auto correction taking over).
Maintainer(s), please re-evaluate if 2.2.9 and 2.2.13 can now be dropped.
commit 169b6e23ed1fe39812deef35fc9f3002aa5ff9e3 Author: Sergey Popov <pinkbyte@gentoo.org> Date: Sat Oct 24 18:55:42 2015 +0300 net-mail/dovecot: drop old vulnerable versions Gentoo-Bug: 509954 Package-Manager: portage-2.2.20
Old versions were purged.