Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 547872 (CVE-2015-3420) - <net-mail/dovecot-2.2.16-r1: remote DoS on TLS connections (CVE-2015-3420)
Summary: <net-mail/dovecot-2.2.16-r1: remote DoS on TLS connections (CVE-2015-3420)
Alias: CVE-2015-3420
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [noglsa/cve]
Depends on:
Reported: 2015-04-27 07:06 UTC by Agostino Sarubbo
Modified: 2015-11-02 20:39 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2015-04-27 07:06:33 UTC
From ${URL} :

The current Dovecot (2.2.16) imap/pop3 server has an issue that
handshake failures will lead to a crash of the login process.

An example where this is triggered is if the server is configured to
not allow SSLv3 connections and a client tries to connect with SSLv3

The reason is that the error handling routine will try to finish the
handshake and that will crash. Details here:

I had created a patch, one of the dovecot devs created a more thorough
patch that will probably catch more error states properly:
(url likely not stable)
Nothing is applied yet I think.

I think this deserves a CVE.

There is a related issue in openssl: It will crash instead of throwing
an error if one tries to use a connection context that already failed.
One could argue that this is not an openssl issue, because apps need to
properly check errors. Matt Caswell has created a patch to let openssl
handle these situations more gracefully:

@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Hanno Böck gentoo-dev 2015-04-28 09:41:21 UTC
Here's the commit:
Comment 2 Eray Aslan gentoo-dev 2015-04-28 19:49:08 UTC
+*dovecot-2.2.16-r1 (28 Apr 2015)
+  28 Apr 2015; Eray Aslan <> +dovecot-2.2.16-r1.ebuild,
+  +files/CVE-2015-3420.patch:
+  Security bump - bug #547872

Arches, please test and mark stable =net-mail/dovecot-2.2.16-r1.  Thank you.

Target keywords = alpha amd64 arm hppa ia64 ppc ppc64 x86
Comment 3 Jeroen Roovers (RETIRED) gentoo-dev 2015-04-29 06:05:10 UTC
Stable for HPPA PPC64.
Comment 4 Agostino Sarubbo gentoo-dev 2015-04-30 10:56:58 UTC
amd64 stable
Comment 5 Jack Morgan (RETIRED) gentoo-dev 2015-05-13 05:19:09 UTC
ia64 stable
Comment 6 Pacho Ramos gentoo-dev 2015-05-15 10:59:57 UTC
ppc stable
Comment 7 Agostino Sarubbo gentoo-dev 2015-05-19 07:26:06 UTC
x86 stable
Comment 8 Agostino Sarubbo gentoo-dev 2015-05-27 13:01:51 UTC
arm stable
Comment 9 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2015-06-28 16:02:42 UTC
alpha stable
Comment 10 Yury German Gentoo Infrastructure gentoo-dev 2015-06-30 18:55:02 UTC
Arches, Thank you for your work.

Maintainer(s), please drop the vulnerable version(s).

Security Please Vote.
GLSA Vote: No
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2015-07-06 12:54:58 UTC
CVE-2015-3420 (
  ** RESERVED ** This candidate has been reserved by an organization or
  individual that will use it when announcing a new security problem. When the
  candidate has been publicized, the details for this candidate will be
  Dovecot (2.2.16) imap/pop3 server has an issue that handshake failures will
  lead to a crash of the login process.
Comment 12 Yury German Gentoo Infrastructure gentoo-dev 2015-07-06 12:56:13 UTC
Please cleanup net-mail/dovecot-2.2.9
Comment 13 Eray Aslan gentoo-dev 2015-07-07 04:58:49 UTC
(In reply to Yury German from comment #12)
> Please cleanup net-mail/dovecot-2.2.9

will do once bug #501600 is resolved
Comment 14 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-07-16 14:45:25 UTC
GLSA Vote: Yes
Comment 15 Sergey Popov gentoo-dev 2015-07-16 14:55:59 UTC
GLSA vote: No
Comment 16 Yury German Gentoo Infrastructure gentoo-dev 2015-11-02 20:39:54 UTC
Maintainer(s), Thank you for you for cleanup.

Thank you all. Closing as noglsa.