security update in Fedora 27 for dovecot

Status: stable a year ago
dovecot updated to 2.2.34, pigeonhole updated to 0.4.22
fixes CVE-2017-15130: TLS SNI config lookups may lead to excessive
  memory usage, causing imap-login/pop3-login VSZ limit to be reached
  and the process restarted. This happens only if Dovecot config has
  local_name { } or local { } configuration blocks and attacker uses
  randomly generated SNI servernames.
fixes CVE-2017-14461: Parsing invalid email addresses may cause a crash or
  leak memory contents to attacker. For example, these memory contents
  might contain parts of an email from another user if the same imap
  process is reused for multiple users.
fixes CVE-2017-15132: Aborted SASL authentication leaks memory in login

How to install

sudo dnf upgrade --advisory=FEDORA-2018-52d79f4f36

Comments 10

This update has been submitted for testing by mhlavink.

This update has been pushed to testing.

No regressions here.

karma: +1

This update has reached 7 days in testing and can be pushed to stable now if the maintainer wishes

Works fine for me.

karma: +1

Ok works for me

karma: +1

This update has been submitted for batched by bodhi.

This update has been submitted for stable by bodhi.

This update has been pushed to stable.

Content Type
Test Gating
Submitted by
Update Type
Update Severity
stable threshold: 3
unstable threshold: -3
submitted a year ago
in testing a year ago
in stable a year ago

Related Bugs 2

00 #1538717 CVE-2017-15132 dovecot: Auth leaks memory if SASL authentication is aborted [fedora-all]
00 #1550508 CVE-2017-14461 dovecot: Information Leak Vulnerability in rfc822_parse_domain leading to denial-of-service [fedora-all]

Automated Test Results