Bug#888432: marked as done (dovecot: CVE-2017-15132: auth client leaks memory if SASL authentication is aborted)
Your message dated Sat, 10 Mar 2018 23:17:52 + with message-idand subject line Bug#888432: fixed in dovecot 1:2.2.13-12~deb8u4 has caused the Debian Bug report #888432, regarding dovecot: CVE-2017-15132: auth client leaks memory if SASL authentication is aborted to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 888432: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=888432 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: dovecot Version: 1:2.2.13-1 Severity: important Tags: upstream security patch Hi, the following vulnerability was published for dovecot. CVE-2017-15132[0]: auth client leaks memory if SASL authentication is aborted If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-15132 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15132 [1] http://www.openwall.com/lists/oss-security/2018/01/25/4 [2] https://github.com/dovecot/core/commit/1a29ed2f96da1be22fa5a4d96c7583aa81b8b060.patch Regards, Salvatore --- End Message --- --- Begin Message --- Source: dovecot Source-Version: 1:2.2.13-12~deb8u4 We believe that the bug you reported is fixed in the latest version of dovecot, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 888...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Apollon Oikonomopoulos (supplier of updated dovecot package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Thu, 01 Mar 2018 19:12:05 +0200 Source: dovecot Binary: dovecot-core dovecot-dev dovecot-imapd dovecot-pop3d dovecot-lmtpd dovecot-managesieved dovecot-pgsql dovecot-mysql dovecot-sqlite dovecot-ldap dovecot-gssapi dovecot-sieve dovecot-solr dovecot-lucene dovecot-dbg Architecture: source amd64 Version: 1:2.2.13-12~deb8u4 Distribution: jessie-security Urgency: high Maintainer: Dovecot Maintainers Changed-By: Apollon Oikonomopoulos Description: dovecot-core - secure POP3/IMAP server - core files dovecot-dbg - secure POP3/IMAP server - debug symbols dovecot-dev - secure POP3/IMAP server - header files dovecot-gssapi - secure POP3/IMAP server - GSSAPI support dovecot-imapd - secure POP3/IMAP server - IMAP daemon dovecot-ldap - secure POP3/IMAP server - LDAP support dovecot-lmtpd - secure POP3/IMAP server - LMTP server dovecot-lucene - secure POP3/IMAP server - Lucene support dovecot-managesieved - secure POP3/IMAP server - ManageSieve server dovecot-mysql - secure POP3/IMAP server - MySQL support dovecot-pgsql - secure POP3/IMAP server - PostgreSQL support dovecot-pop3d - secure POP3/IMAP server - POP3 daemon dovecot-sieve - secure POP3/IMAP server - Sieve filters support dovecot-solr - secure POP3/IMAP server - Solr support dovecot-sqlite - secure POP3/IMAP server - SQLite support Closes: 888432 891819 891820 Changes: dovecot (1:2.2.13-12~deb8u4) jessie-security; urgency=high . * [eb6eab8] Fix CVE-2017-14461: rfc822_parse_domain information leak (Closes: #891819) * [df2ccf9] Fix CVE-2017-15130: TLS SNI config lookups are inefficient and can be used for DoS (Closes: #891820) + Use dh-autoreconf, as src/Makefile.in needs to be regenerated. Also disable dovecot_name.patch, since it changes dovecot's banner in conjunction with dh_autoreconf. * [292742f] Fix CVE-2017-15132: memory leak on aborted SASL auth (Closes: #888432) * [3e2ccd1] Add myself to Uploaders Checksums-Sha1: 672ac1c717a4b282ddf7a257da44d4449e6b178a 3335 dovecot_2.2.13-12~deb8u4.dsc ee8efc77cb9d502dc416ae4fba242adc5f01c163 4613824 dovecot_2.2.13.orig.tar.gz 3b2c547fbb71013f208d4af025ba7b247f538977 746136 dovecot_2.2.13-12~deb8u4.debian.tar.xz 48e4c8d80e2210b20aed9d4860d74507449cfd69 2659458 dovecot-core_2.2.13-12~deb8u4_amd64.deb 9149f367fcca0d2dd588ca171000a0863a4cd7da 750702 dovecot-dev_2.2.13-12~deb8u4_amd64.deb f26879470c738195253c70069f5b5c60010a1723 646064
Bug#888432: marked as done (dovecot: CVE-2017-15132: auth client leaks memory if SASL authentication is aborted)
Your message dated Sat, 03 Mar 2018 21:02:09 + with message-idand subject line Bug#888432: fixed in dovecot 1:2.2.27-3+deb9u2 has caused the Debian Bug report #888432, regarding dovecot: CVE-2017-15132: auth client leaks memory if SASL authentication is aborted to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 888432: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=888432 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: dovecot Version: 1:2.2.13-1 Severity: important Tags: upstream security patch Hi, the following vulnerability was published for dovecot. CVE-2017-15132[0]: auth client leaks memory if SASL authentication is aborted If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-15132 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15132 [1] http://www.openwall.com/lists/oss-security/2018/01/25/4 [2] https://github.com/dovecot/core/commit/1a29ed2f96da1be22fa5a4d96c7583aa81b8b060.patch Regards, Salvatore --- End Message --- --- Begin Message --- Source: dovecot Source-Version: 1:2.2.27-3+deb9u2 We believe that the bug you reported is fixed in the latest version of dovecot, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 888...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Apollon Oikonomopoulos (supplier of updated dovecot package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Thu, 01 Mar 2018 15:15:45 +0200 Source: dovecot Binary: dovecot-core dovecot-dev dovecot-imapd dovecot-pop3d dovecot-lmtpd dovecot-managesieved dovecot-pgsql dovecot-mysql dovecot-sqlite dovecot-ldap dovecot-gssapi dovecot-sieve dovecot-solr dovecot-lucene dovecot-dbg Architecture: source amd64 Version: 1:2.2.27-3+deb9u2 Distribution: stretch-security Urgency: high Maintainer: Dovecot Maintainers Changed-By: Apollon Oikonomopoulos Description: dovecot-core - secure POP3/IMAP server - core files dovecot-dbg - secure POP3/IMAP server - debug symbols dovecot-dev - secure POP3/IMAP server - header files dovecot-gssapi - secure POP3/IMAP server - GSSAPI support dovecot-imapd - secure POP3/IMAP server - IMAP daemon dovecot-ldap - secure POP3/IMAP server - LDAP support dovecot-lmtpd - secure POP3/IMAP server - LMTP server dovecot-lucene - secure POP3/IMAP server - Lucene support dovecot-managesieved - secure POP3/IMAP server - ManageSieve server dovecot-mysql - secure POP3/IMAP server - MySQL support dovecot-pgsql - secure POP3/IMAP server - PostgreSQL support dovecot-pop3d - secure POP3/IMAP server - POP3 daemon dovecot-sieve - secure POP3/IMAP server - Sieve filters support dovecot-solr - secure POP3/IMAP server - Solr support dovecot-sqlite - secure POP3/IMAP server - SQLite support Closes: 888432 891819 891820 Changes: dovecot (1:2.2.27-3+deb9u2) stretch-security; urgency=high . * [794e743] Fix CVE-2017-14461: rfc822_parse_domain information leak vulnerability (Closes: #891819) * [530ca6d] Fix CVE-2017-15130: TLS SNI config lookups are inefficient and can be used for DoS (Closes: #891820) + Use dh-autoreconf, as src/Makefile.in needs to be regenerated. Also disable dovecot_name.patch, since it changes dovecot's banner in conjunction with dh_autoreconf. * [68c2156] Fix CVE-2017-15132: memory leak on aborted SASL auth (Closes: #888432) Checksums-Sha1: 4cfcc5d55d83674da715edb28218f5c6a5df93d1 3416 dovecot_2.2.27-3+deb9u2.dsc e007081c43b06fa2670d556de7a62bbb87fc637c 5794668 dovecot_2.2.27.orig.tar.gz 7f79a204568dc0a59ac80edb5c9e03c1a4f89f07 862944 dovecot_2.2.27-3+deb9u2.debian.tar.xz 1271b4fce8a8521c6b36fcc0466ff9882266dd7e 3324024 dovecot-core_2.2.27-3+deb9u2_amd64.deb 2fc9e8eef25edcdc885c3d517c6f53042d4c89c4 14125794 dovecot-dbg_2.2.27-3+deb9u2_amd64.deb 146d8dd2723189aa9d3089303b2b3ed0f288cb9b 960708 dovecot-dev_2.2.27-3+deb9u2_amd64.deb
Bug#888432: marked as done (dovecot: CVE-2017-15132: auth client leaks memory if SASL authentication is aborted)
Your message dated Thu, 01 Mar 2018 09:50:15 + with message-idand subject line Bug#888432: fixed in dovecot 1:2.2.34-1 has caused the Debian Bug report #888432, regarding dovecot: CVE-2017-15132: auth client leaks memory if SASL authentication is aborted to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 888432: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=888432 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: dovecot Version: 1:2.2.13-1 Severity: important Tags: upstream security patch Hi, the following vulnerability was published for dovecot. CVE-2017-15132[0]: auth client leaks memory if SASL authentication is aborted If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-15132 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15132 [1] http://www.openwall.com/lists/oss-security/2018/01/25/4 [2] https://github.com/dovecot/core/commit/1a29ed2f96da1be22fa5a4d96c7583aa81b8b060.patch Regards, Salvatore --- End Message --- --- Begin Message --- Source: dovecot Source-Version: 1:2.2.34-1 We believe that the bug you reported is fixed in the latest version of dovecot, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 888...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Apollon Oikonomopoulos (supplier of updated dovecot package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Thu, 01 Mar 2018 10:55:49 +0200 Source: dovecot Binary: dovecot-core dovecot-dev dovecot-imapd dovecot-pop3d dovecot-lmtpd dovecot-managesieved dovecot-pgsql dovecot-mysql dovecot-sqlite dovecot-ldap dovecot-gssapi dovecot-sieve dovecot-solr dovecot-lucene Architecture: source amd64 Version: 1:2.2.34-1 Distribution: unstable Urgency: medium Maintainer: Dovecot Maintainers Changed-By: Apollon Oikonomopoulos Description: dovecot-core - secure POP3/IMAP server - core files dovecot-dev - secure POP3/IMAP server - header files dovecot-gssapi - secure POP3/IMAP server - GSSAPI support dovecot-imapd - secure POP3/IMAP server - IMAP daemon dovecot-ldap - secure POP3/IMAP server - LDAP support dovecot-lmtpd - secure POP3/IMAP server - LMTP server dovecot-lucene - secure POP3/IMAP server - Lucene support dovecot-managesieved - secure POP3/IMAP server - ManageSieve server dovecot-mysql - secure POP3/IMAP server - MySQL support dovecot-pgsql - secure POP3/IMAP server - PostgreSQL support dovecot-pop3d - secure POP3/IMAP server - POP3 daemon dovecot-sieve - secure POP3/IMAP server - Sieve filters support dovecot-solr - secure POP3/IMAP server - Solr support dovecot-sqlite - secure POP3/IMAP server - SQLite support Closes: 888432 891819 891820 Changes: dovecot (1:2.2.34-1) unstable; urgency=medium . * [f53dc9a] New upstream version 2.2.34 Fixes the following security issues: + CVE-2017-15130: TLS SNI config lookups may lead to excessive memory usage (Closes: #891820) + CVE-2017-14461: rfc822_parse_domain information leak vulnerability (Closes: #891819) + CVE-2017-15132: auth client leaks memory if SASL authentication is aborted (Closes: #888432) * [0dc98c6] Do not patch all-settings.c; regenerate it at build time instead. Thanks to Aki Tuomi! * [e678e3b] Bump dh compat to 11 + B-D on debhelper (>= 11~) + Use dh_installsystemd instead of dh_systemd_enable * [271b290] Bump Standards-Version to 4.1.3; no changes needed * [3cd6715] d/copyright: bump upstream and debian years * [380d1ac] Drop the ENABLED flag from /etc/default/dovecot (but let the initscript handle it if it exists) * [97d6fae] d/watch: switch upstream URL to https:// Checksums-Sha1: b77048eda2dd397cba70688ce8b6c0f43d615bd3 3164 dovecot_2.2.34-1.dsc 4b1c016d0d3ec4b06a2eb26e7cbbf83e70ac16f9 6181270 dovecot_2.2.34.orig.tar.gz 9b42445eef114e7ed8f19d291b480a8bedf8622a 879184