#6444 closed defect (fixed)
Dovecot-2.2.16 Security Issue: CVE-2015-3420
| Reported by: | Fernando de Oliveira | Owned by: | Fernando de Oliveira |
|---|---|---|---|
| Priority: | high | Milestone: | 7.8 |
| Component: | BOOK | Version: | SVN |
| Severity: | normal | Keywords: | |
| Cc: |
Description ¶
http://www.shieldjournal.com/dovecot-remote-tls-dos-cve-2015-3420/
The latest release of the Dovecot IMAP server (2.2.16) is vulnerable to a remote denial of service (DoS) and has been assigned CVE-2015-3420.
https://cxsecurity.com/issue/WLB-2015040183
The current Dovecot (2.2.16) imap/pop3 server has an issue that handshake failures will lead to a crash of the login process.
Patch:
*-login: Don't try to flush SSL output if SSL handshake fails. This fixes a crash on failed handshakes on some OpenSSL builds.
http://hg.dovecot.org/dovecot-2.2/raw-diff/86f535375750/src/login-common/ssl-proxy-openssl.c
Think we should fix the book. Please, someone could confirm and take this ticket?
Thanks
Change History (6)
comment:1 by , 10 years ago
| Type: | enhancement → defect |
|---|
comment:2 by , 10 years ago
| Priority: | normal → high |
|---|
comment:3 by , 10 years ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
follow-up: 6 comment:4 by , 10 years ago
comment:5 by , 10 years ago
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
Fixed at r15905.
tagged gcc5.
comment:6 by , 10 years ago
Replying to fo:
I think I could transform the patch in an sed, but there are 8 lines to be added and 2 to be substituted, so, will keep the patch. But if anyone else wished to transform into seds after I fix the ticket, I don't mind.
That's a bit much for a sed. The patch is fine.
Note:
See TracTickets
for help on using tickets.
I think I could transform the patch in an sed, but there are 8 lines to be added and 2 to be substituted, so, will keep the patch. But if anyone else wished to transform into seds after I fix the ticket, I don't mind.