Opened 8 years ago

Closed 8 years ago

Last modified 8 years ago

#8604 closed enhancement (fixed)

dovecot-2.2.27 (CVE-2016-8652)

Reported by: bdubbs@… Owned by: Pierre Labastie
Priority: high Milestone: 8.0
Component: BOOK Version: SVN
Severity: normal Keywords:
Cc:

Description (last modified by Douglas R. Reno)

New point version.

Important vulnerability in Dovecot (CVE-2016-8652)
CVSS score: 7.4 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H)
Affected version(s): 2.2.25.1 up to 2.2.26.1
Fixed in: 2.2.27.1rc1

Short summary: Dovecot auth component can be crashed by remote user when
auth-policy component is activated.

If auth-policy component has been activated in Dovecot, then remote user
can use SASL authentication to crash auth component.

Workaround is to disable auth-policy component until fix is in place.
This can be done by commenting out all auth_policy_* settings.

Change History (5)

comment:1 by Douglas R. Reno, 8 years ago

Description: modified (diff)
Priority: normalhigh

comment:2 by Douglas R. Reno, 8 years ago

Summary: dovecot-2.2.27dovecot-2.2.27 (CVE-2016-8652)

comment:3 by Pierre Labastie, 8 years ago

Owner: changed from blfs-book@… to Pierre Labastie
Status: newassigned

comment:4 by Pierre Labastie, 8 years ago

Resolution: fixed
Status: assignedclosed

Fixed at r18047

comment:5 by bdubbs@…, 8 years ago

Milestone: 7.118.0

Milestone renamed

Note: See TracTickets for help on using tickets.