FEDORA-2018-c967cee830

security update in Fedora 26 for dovecot

Status: obsolete
dovecot updated to 2.2.34, pigeonhole updated to 0.4.22
fixes CVE-2017-15130: TLS SNI config lookups may lead to excessive
  memory usage, causing imap-login/pop3-login VSZ limit to be reached
  and the process restarted. This happens only if Dovecot config has
  local_name { } or local { } configuration blocks and attacker uses
  randomly generated SNI servernames.
fixes CVE-2017-14461: Parsing invalid email addresses may cause a crash or
  leak memory contents to attacker. For example, these memory contents
  might contain parts of an email from another user if the same imap
  process is reused for multiple users.
fixes CVE-2017-15132: Aborted SASL authentication leaks memory in login
  process.

  • doveadm: Fix crash in proxying (or dsync replication) if remote is running older than v2.2.33
  • auth: Fix memory leak in %{ldap_dn}
  • dict-sql: Fix data types to work correctly with Cassandra

Comments 5

This update has been submitted for testing by mhlavink.

This update has obsoleted dovecot-2.2.33.2-1.fc26, and has inherited its bugs and notes.

This update has been pushed to testing.

This update has reached 7 days in testing and can be pushed to stable now if the maintainer wishes

This update has been obsoleted by dovecot-2.2.35-1.fc26.

Add Comment & Feedback

Please login to add feedback.

Content Type
RPM
Status
obsolete
Test Gating
Submitted by
Update Type
security
Update Severity
unspecified
Karma
0
stable threshold: 3
unstable threshold: -3
Autopush (karma)
Enabled
Autopush (time)
Disabled
Dates
submitted 2 years ago
in testing 2 years ago

Related Bugs 3

00 #1505008 dovecot-2.2.33.2 is available
00 #1538717 CVE-2017-15132 dovecot: Auth leaks memory if SASL authentication is aborted [fedora-all]
00 #1550508 CVE-2017-14461 dovecot: Information Leak Vulnerability in rfc822_parse_domain leading to denial-of-service [fedora-all]

Automated Test Results