Opened 7 years ago

Closed 7 years ago

Last modified 7 years ago

#6444 closed defect (fixed)

Dovecot-2.2.16 Security Issue: CVE-2015-3420

Reported by: Fernando de Oliveira Owned by: Fernando de Oliveira
Priority: high Milestone: 7.8
Component: BOOK Version: SVN
Severity: normal Keywords:
Cc:

Description

http://www.shieldjournal.com/dovecot-remote-tls-dos-cve-2015-3420/

The latest release of the Dovecot IMAP server (2.2.16) is vulnerable
to a remote denial of service (DoS) and has been assigned CVE-2015-3420.

https://cxsecurity.com/issue/WLB-2015040183

The current Dovecot (2.2.16) imap/pop3 server has an issue that
handshake failures will lead to a crash of the login process.

Patch:

*-login: Don't try to flush SSL output if SSL handshake fails.
This fixes a crash on failed handshakes on some OpenSSL builds.

http://hg.dovecot.org/dovecot-2.2/raw-diff/86f535375750/src/login-common/ssl-proxy-openssl.c

Think we should fix the book. Please, someone could confirm and take this ticket?

Thanks

Change History (6)

comment:1 by Fernando de Oliveira, 7 years ago

Type: enhancementdefect

comment:2 by Fernando de Oliveira, 7 years ago

Priority: normalhigh

comment:3 by Fernando de Oliveira, 7 years ago

Owner: changed from blfs-book@… to Fernando de Oliveira
Status: newassigned

comment:4 by Fernando de Oliveira, 7 years ago

I think I could transform the patch in an sed, but there are 8 lines to be added and 2 to be substituted, so, will keep the patch. But if anyone else wished to transform into seds after I fix the ticket, I don't mind.

comment:5 by Fernando de Oliveira, 7 years ago

Resolution: fixed
Status: assignedclosed

Fixed at r15905.

tagged gcc5.

in reply to:  4 comment:6 by bdubbs@…, 7 years ago

Replying to fo:

I think I could transform the patch in an sed, but there are 8 lines to be added and 2 to be substituted, so, will keep the patch. But if anyone else wished to transform into seds after I fix the ticket, I don't mind.

That's a bit much for a sed. The patch is fine.

Note: See TracTickets for help on using tickets.