Comment 1 Thomas Deutschmann (RETIRED) 2018-02-28 22:18:20 UTC

 * CVE-2017-15130: TLS SNI config lookups may lead to excessive
   memory usage, causing imap-login/pop3-login VSZ limit to be reached
   and the process restarted. This happens only if Dovecot config has
   local_name { } or local { } configuration blocks and attacker uses
   randomly generated SNI servernames.
 * CVE-2017-14461: Parsing invalid email addresses may cause a crash or
   leak memory contents to attacker. For example, these memory contents
   might contain parts of an email from another user if the same imap
   process is reused for multiple users. First discovered by Aleksandar
   Nikolic of Cisco Talos. Independently also discovered by "flxflndy"
   via HackerOne.

Comment 2 Larry the Git Cow 2018-02-28 22:18:45 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5a2f53f6a6fa9cac9d50615dbaa03e10a784e672

commit 5a2f53f6a6fa9cac9d50615dbaa03e10a784e672
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2018-02-28 22:15:20 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2018-02-28 22:18:35 +0000

    net-mail/dovecot: Bump to fix CVE-2017-14461 & CVE-2017-15130
    
    Bug: https://bugs.gentoo.org/648894
    Package-Manager: Portage-2.3.24, Repoman-2.3.6

 net-mail/dovecot/Manifest               |   2 +
 net-mail/dovecot/dovecot-2.2.34.ebuild  | 290 ++++++++++++++++++++++++++++++++
 net-mail/dovecot/dovecot-2.3.0.1.ebuild | 284 +++++++++++++++++++++++++++++++
 3 files changed, 576 insertions(+)}

Comment 3 Thomas Deutschmann (RETIRED) 2018-03-01 19:14:24 UTC

@ Arches,

please test and mark stable: =net-mail/dovecot-2.2.34

Comment 4 Agostino Sarubbo 2018-03-02 15:36:06 UTC

amd64 stable

Comment 5 Sergei Trofimovich (RETIRED) 2018-03-02 23:24:04 UTC

ia64 stable

Comment 6 Thomas Deutschmann (RETIRED) 2018-03-04 06:53:28 UTC

x86 stable

Comment 7 Tobias Klausmann (RETIRED) 2018-03-05 17:15:24 UTC

Stable on alpha.

Comment 8 Markus Meier 2018-03-13 17:54:04 UTC

arm stable

Comment 9 Sergei Trofimovich (RETIRED) 2018-04-07 21:58:33 UTC

ppc64 stable

Comment 10 Matt Turner 2018-04-22 20:45:50 UTC

hppa stable

Comment 11 Larry the Git Cow 2018-06-24 19:37:48 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=08a79a10ae120407a7b8ac5cdbeca15697505650

commit 08a79a10ae120407a7b8ac5cdbeca15697505650
Author:     Sergei Trofimovich <slyfox@gentoo.org>
AuthorDate: 2018-06-24 17:27:38 +0000
Commit:     Sergei Trofimovich <slyfox@gentoo.org>
CommitDate: 2018-06-24 19:35:09 +0000

    net-mail/dovecot: stable 2.2.34 for ppc, bug #648894
    
    Bug: https://bugs.gentoo.org/648894
    Package-Manager: Portage-2.3.40, Repoman-2.3.9
    RepoMan-Options: --include-arches="ppc"

 net-mail/dovecot/dovecot-2.2.34.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comment 12 Aaron Bauman (RETIRED) 2018-12-01 00:33:27 UTC

@maintainer(s), 2.2.19 needs to be purged as it is vulnerable and sh is not a stable arch.

sparc has been removed from cc as it has no other stable keywords for previous versions.