#10450: dovecot-2.3.0.1
-------------------------+------------------------------
 Reporter:  bdubbs@…     |       Owner:  pierre.labastie
     Type:  enhancement  |      Status:  assigned
 Priority:  normal       |   Milestone:  8.3
Component:  BOOK         |     Version:  SVN
 Severity:  normal       |  Resolution:
 Keywords:               |
-------------------------+------------------------------

Comment (by pierre.labastie):

 Two many CVE's for waiting for 2.3.1...

 {{{
 Small patch release to fix the worst bugs in v2.3.0. v2.3.1 is coming in
 about a month with a lot more changes.

  * CVE-2017-15130: TLS SNI config lookups may lead to excessive
    memory usage, causing imap-login/pop3-login VSZ limit to be reached
    and the process restarted. This happens only if Dovecot config has
    local_name { } or local { } configuration blocks and attacker uses
    randomly generated SNI servernames.
  * CVE-2017-14461: Parsing invalid email addresses may cause a crash or
    leak memory contents to attacker. For example, these memory contents
    might contain parts of an email from another user if the same imap
    process is reused for multiple users. First discovered by Aleksandar
    Nikolic of Cisco Talos. Independently also discovered by "flxflndy"
    via HackerOne.
  * CVE-2017-15132: Aborted SASL authentication leaks memory in login
    process.
  * Linux: Core dumping is no longer enabled by default via
    PR_SET_DUMPABLE, because this may allow attackers to bypass
    chroot/group restrictions. Found by cPanel Security Team. Nowadays
    core dumps can be safely enabled by using "sysctl -w
    fs.suid_dumpable=2". If the old behaviour is wanted, it can still be
    enabled by setting:
    import_environment=$import_environment PR_SET_DUMPABLE=1
  - imap-login with SSL/TLS connections may end up in infinite loop
 }}}

--
Ticket URL: <http://wiki.linuxfromscratch.org/blfs/ticket/10450#comment:2>
BLFS Trac <http://wiki.linuxfromscratch.org/blfs>
Beyond Linux From Scratch
-- 
http://lists.linuxfromscratch.org/listinfo/blfs-book
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page

Reply via email to