Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 648894 (CVE-2017-14461, CVE-2017-15130) - <net-mail/dovecot-{2.2.34,2.3.0.1}: multiple vulnerabilities (CVE-2017-{14461,15130})
Summary: <net-mail/dovecot-{2.2.34,2.3.0.1}: multiple vulnerabilities (CVE-2017-{14461...
Status: RESOLVED FIXED
Alias: CVE-2017-14461, CVE-2017-15130
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://dovecot.org/list/dovecot-news...
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2018-02-26 17:24 UTC by Thomas Deutschmann
Modified: 2019-03-11 02:55 UTC (History)
2 users (show)

See Also:
Package list:
net-mail/dovecot-2.2.34 app-text/libexttextcat-3.4.5 ia64
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Deutschmann gentoo-dev Security 2018-02-26 17:24:32 UTC
Incoming details.
Comment 1 Thomas Deutschmann gentoo-dev Security 2018-02-28 22:18:20 UTC
 * CVE-2017-15130: TLS SNI config lookups may lead to excessive
   memory usage, causing imap-login/pop3-login VSZ limit to be reached
   and the process restarted. This happens only if Dovecot config has
   local_name { } or local { } configuration blocks and attacker uses
   randomly generated SNI servernames.
 * CVE-2017-14461: Parsing invalid email addresses may cause a crash or
   leak memory contents to attacker. For example, these memory contents
   might contain parts of an email from another user if the same imap
   process is reused for multiple users. First discovered by Aleksandar
   Nikolic of Cisco Talos. Independently also discovered by "flxflndy"
   via HackerOne.
Comment 2 Larry the Git Cow gentoo-dev 2018-02-28 22:18:45 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5a2f53f6a6fa9cac9d50615dbaa03e10a784e672

commit 5a2f53f6a6fa9cac9d50615dbaa03e10a784e672
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2018-02-28 22:15:20 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2018-02-28 22:18:35 +0000

    net-mail/dovecot: Bump to fix CVE-2017-14461 & CVE-2017-15130
    
    Bug: https://bugs.gentoo.org/648894
    Package-Manager: Portage-2.3.24, Repoman-2.3.6

 net-mail/dovecot/Manifest               |   2 +
 net-mail/dovecot/dovecot-2.2.34.ebuild  | 290 ++++++++++++++++++++++++++++++++
 net-mail/dovecot/dovecot-2.3.0.1.ebuild | 284 +++++++++++++++++++++++++++++++
 3 files changed, 576 insertions(+)}
Comment 3 Thomas Deutschmann gentoo-dev Security 2018-03-01 19:14:24 UTC
@ Arches,

please test and mark stable: =net-mail/dovecot-2.2.34
Comment 4 Agostino Sarubbo gentoo-dev 2018-03-02 15:36:06 UTC
amd64 stable
Comment 5 Sergei Trofimovich (RETIRED) gentoo-dev 2018-03-02 23:24:04 UTC
ia64 stable
Comment 6 Thomas Deutschmann gentoo-dev Security 2018-03-04 06:53:28 UTC
x86 stable
Comment 7 Tobias Klausmann gentoo-dev 2018-03-05 17:15:24 UTC
Stable on alpha.
Comment 8 Markus Meier gentoo-dev 2018-03-13 17:54:04 UTC
arm stable
Comment 9 Sergei Trofimovich (RETIRED) gentoo-dev 2018-04-07 21:58:33 UTC
ppc64 stable
Comment 10 Matt Turner gentoo-dev 2018-04-22 20:45:50 UTC
hppa stable
Comment 11 Larry the Git Cow gentoo-dev 2018-06-24 19:37:48 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=08a79a10ae120407a7b8ac5cdbeca15697505650

commit 08a79a10ae120407a7b8ac5cdbeca15697505650
Author:     Sergei Trofimovich <slyfox@gentoo.org>
AuthorDate: 2018-06-24 17:27:38 +0000
Commit:     Sergei Trofimovich <slyfox@gentoo.org>
CommitDate: 2018-06-24 19:35:09 +0000

    net-mail/dovecot: stable 2.2.34 for ppc, bug #648894
    
    Bug: https://bugs.gentoo.org/648894
    Package-Manager: Portage-2.3.40, Repoman-2.3.9
    RepoMan-Options: --include-arches="ppc"

 net-mail/dovecot/dovecot-2.2.34.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 12 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2018-12-01 00:33:27 UTC
@maintainer(s), 2.2.19 needs to be purged as it is vulnerable and sh is not a stable arch.

sparc has been removed from cc as it has no other stable keywords for previous versions.