drucken bookmarks versenden konfigurieren admin pdf Sicherheit: Denial of Service in dovecot
Name: |
Denial of Service in dovecot |
|
ID: |
FEDORA-2015-7159 |
|
Distribution: |
Fedora |
|
Plattformen: |
Fedora 20 |
|
Datum: |
Di, 19. Mai 2015, 18:34 |
|
Referenzen: |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3420 |
|
Applikationen: |
dovecot |
|
Originalnachricht |
Name : dovecot Product : Fedora 20 Version : 2.2.16 Release : 2.fc20 URL : http://www.dovecot.org/ Summary : Secure imap and pop3 server Description : Dovecot is an IMAP server for Linux/UNIX-like systems, written with security primarily in mind. It also contains a small POP3 server. It supports mail in either of maildir or mbox formats.
The SQL drivers and authentication plug-ins are in their subpackages.
------------------------------------------------------------------------------- - Update Information:
fixes CVE-2015-3420: SSL/TLS handshake failures leading to a crash of the login process - dovecot updated to 2.2.16
- auth: Don't crash if master user login is attempted without
any configured master=yes passdbs
- Parsing UTF-8 text for mails could have caused broken results
sometimes if buffering was split in the middle of a UTF-8 character.
This affected at least searching messages.
- String sanitization for some logged output wasn't done properly:
UTF-8 text could have been truncated wrongly or the truncation may
not have happened at all.
- fts-lucene: Lookups from virtual mailbox consisting of over 32
physical mailboxes could have caused crashes. - dovecot updated to 2.2.16
- auth: Don't crash if master user login is attempted without
any configured master=yes passdbs
- Parsing UTF-8 text for mails could have caused broken results
sometimes if buffering was split in the middle of a UTF-8 character.
This affected at least searching messages.
- String sanitization for some logged output wasn't done properly:
UTF-8 text could have been truncated wrongly or the truncation may
not have happened at all.
- fts-lucene: Lookups from virtual mailbox consisting of over 32
physical mailboxes could have caused crashes. ------------------------------------------------------------------------------- - ChangeLog:
* Tue Apr 28 2015 Michal Hlavinka <mhlavink@redhat.com> - 1:2.2.16-2 - fix CVE-2015-3420: SSL/TLS handshake failures leading to a crash of the login process * Mon Mar 16 2015 Michal Hlavinka <mhlavink@redhat.com> - 1:2.2.16-1 - dovecot updated to 2.2.16 - auth: Don't crash if master user login is attempted without any configured master=yes passdbs - Parsing UTF-8 text for mails could have caused broken results sometimes if buffering was split in the middle of a UTF-8 character. This affected at least searching messages. - String sanitization for some logged output wasn't done properly: UTF-8 text could have been truncated wrongly or the truncation may not have happened at all. - fts-lucene: Lookups from virtual mailbox consisting of over 32 physical mailboxes could have caused crashes. * Thu Feb 5 2015 Michal Hlavinka <mhlavink@redhat.com> - 1:2.2.15-3 - fix mbox istream crashes (#1189198, #1186504) * Mon Jan 5 2015 Michal Hlavinka <mhlavink@redhat.com> - 1:2.2.15-2 - fix crash related to logging BYE notifications (#1176282) - update pigeonhole to 0.4.6 * Thu Oct 30 2014 Michal Hlavinka <mhlavink@redhat.com> - 1:2.2.15-1 - dovecot updated to 2.2.15 - various race condition fixes to LAYOUT=index - v2.2.14 virtual plugin crashed in some situations * Fri Oct 17 2014 Michal Hlavinka <mhlavink@redhat.com> - 1:2.2.14-1 - dovecot updated to 2.2.14, pigeonhole updated to 0.4.3 - fixed several race conditions with dovecot.index.cache handling that may have caused unnecessary "cache is corrupted" errors. - auth: If auth client listed userdb and disconnected before finishing, the auth worker process got stuck - imap-login, pop3-login: Fixed potential crashes when client disconnected unexpectedly. - imap proxy: The connection was hanging in some usage patterns. * Thu Aug 21 2014 Michal Hlavinka <mhlavink@redhat.com> - 1:2.2.13-2 - use network-online target instead of just network (#1119814) * Mon May 12 2014 Michal Hlavinka <mhlavink@redhat.com> - 1:2.2.13-1 - dovecot updated to 2.2.13 - fixes CVE-2014-3430: denial of service through maxxing out SSL connections - pop3 server was still crashing in v2.2.12 - maildir: Various fixes and improvements to handling compressed mails - fts-lucene, fts-solr: Fixed crash on search when the index contained duplicate entries. - mail_attachment_dir: Attachments with the last base64-encoded line longer than the rest wasn't handled correctly. - IMAP: SEARCH/SORT PARTIAL was handled completely wrong in v2.2.11+ - acl: Global ACL file handling was broken when multiple entries matched the mailbox name * Fri Feb 14 2014 Michal Hlavinka <mhlavink@redhat.com> - 1:2.2.12-1 - dovecot updated to 2.2.12 - fixes pop3 crash * Thu Feb 13 2014 Michal Hlavinka <mhlavink@redhat.com> - 1:2.2.11-1 - dovecot updated to 2.2.11 - imap: SEARCH/SORT PARTIAL reponses may have been too large. - doveadm backup: Fixed assert-crash when syncing mailbox deletion. * Thu Jan 2 2014 Michal Hlavinka <mhlavink@redhat.com> - 1:2.2.10-1 - dovecot updated to 2.2.10 - quota-status: quota_grace was ignored - ldap: Fixed memory leak with auth_bind=yes and without auth_bind_userdn. - imap: Don't send HIGHESTMODSEQ anymore on SELECT/EXAMINE when CONDSTORE/QRESYNC has never before been enabled for the mailbox. - imap: Fixes to handling mailboxes without permanent modseqs. (When [NOMODSEQ] is returned by SELECT, mainly with in-memory indexes.) - imap: Various fixes to METADATA support. - stats plugin: Processes that only temporarily dropped privileges (e.g. indexer-worker) may have been logging errors about not being able to open /proc/self/io. * Mon Nov 25 2013 Michal Hlavinka <mhlavink@redhat.com> - 1:2.2.9-1 - improved cache file handling exposed several old bugs related to fetching mail headers. - iostream handling changes were causing some connections to be disconnected before flushing their output * Wed Nov 20 2013 Michal Hlavinka <mhlavink@redhat.com> - 1:2.2.8-1 - Fixed infinite loop in message parsing if message ends with "--boundary" and CR (without LF). Messages saved via SMTP/LMTP can't trigger this, because messages must end with an "LF.". A user could trigger this for him/herself though. - lmtp: Client was sometimes disconnected before all the output was sent to it. - replicator: Database wasn't being exported to disk every 15 minutes as it should have. Instead it was being imported, causing "doveadm replicator remove" commands to not work very well. ------------------------------------------------------------------------------- - References:
[ 1 ] Bug #1216057 - CVE-2015-3420 dovecot: SSL/TLS handshake failures leading to a crash of the login process. https://bugzilla.redhat.com/show_bug.cgi?id=1216057 ------------------------------------------------------------------------------- -
This update can be installed with the "yum" update program. Use su -c 'yum update dovecot' at the command line. For more information, refer to "Managing Software with yum", available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys ------------------------------------------------------------------------------- - _______________________________________________ package-announce mailing list package-announce@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/package-announce
|
|
|
|