ESB-2018.0622 - [Debian] dovecot: Multiple vulnerabilities 2018-03-05

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.0622
                          dovecot security update
                               5 March 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           dovecot
Publisher:         Debian
Operating System:  Debian GNU/Linux 8
                   Debian GNU/Linux 9
Impact/Access:     Access Privileged Data -- Remote/Unauthenticated
                   Denial of Service      -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-15132 CVE-2017-15130 CVE-2017-14461

Reference:         ESB-2018.0328

Original Bulletin: 
   http://www.debian.org/security/2018/dsa-4130

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-4130-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
March 02, 2018                        https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : dovecot
CVE ID         : CVE-2017-14461 CVE-2017-15130 CVE-2017-15132
Debian Bug     : 888432 891819 891820

Several vulnerabilities have been discovered in the Dovecot email
server. The Common Vulnerabilities and Exposures project identifies the
following issues:

CVE-2017-14461

    Aleksandar Nikolic of Cisco Talos and 'flxflndy' discovered that
    Dovecot does not properly parse invalid email addresses, which may
    cause a crash or leak memory contents to an attacker.

CVE-2017-15130

    It was discovered that TLS SNI config lookups may lead to excessive
    memory usage, causing imap-login/pop3-login VSZ limit to be reached
    and the process restarted, resulting in a denial of service. Only
    Dovecot configurations containing local_name { } or local { }
    configuration blocks are affected.

CVE-2017-15132

    It was discovered that Dovecot contains a memory leak flaw in the
    login process on aborted SASL authentication.

For the oldstable distribution (jessie), these problems have been fixed
in version 1:2.2.13-12~deb8u4.

For the stable distribution (stretch), these problems have been fixed in
version 1:2.2.27-3+deb9u2.

We recommend that you upgrade your dovecot packages.

For the detailed security status of dovecot please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/dovecot

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlqZzelfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0T8fg/+KmUzgEXDQFSnWOmSt+8GXFB08C2XtXmopMuej/1tjkZZ7B04vXfkgYZ9
u7zICbM56VrTmnXOYnLuXjqLrzGO0Y9jX+Z5G4BSw0TgP+g6ME72ZvqxuE4IKQqi
QlaKTX86B1AMpzvkLrhwXlArJDr7pJzOonFJds6rKtVA4OvY4/fAAWrH89BFchet
VwdO5rngcd/qnAYVOZglTMfgVlzxvenx+0fbQ6JFS6T8ODOFSsnwth64u3KY8yYj
4PGTBqX4m+2S2q2qGinueBgHNUV4RK71Zw1QYDa2gMBQR3HtlMnDhmQ4uYCvKP04
Z1GJYX6dMxMSWPKC2WecrdCSV+QAdMlYypKbhqcLA4LHcdPR+v35oQT4X/SYd2WS
Zf50KMYUm9Q3YiOHVDrJo+o21hX4g8hRw1wdewZz+wyQ1n1TOlVtRh4vmACKRzNx
7bUayEvVU3q3VQd+dDH2Bl+TBiO7RB5/b2pHp8vHwAlVX00jYSSnoLUKT0L4BQ54
+1DZ8j88OFKDxTgOsbk19rhfraY7iejAjHZDVnJBwC/tB9REG6DOrDIG4OJqTKw4
sP1JaHryOGXzOf/8h61rY5HAuwofGkAZN7S+Bel0+zGYJvIcSyxpBKvJB/0TDNjm
E5KphLFG9RGVmdeVkQzG6tGUMnMXxFrAD5U3hlzUsNGLLA+RE78=
=Yh09
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWpyWyYx+lLeg9Ub1AQiELxAAnLMvW5udjf2tgBKdi1hExfxso89a6W1K
v84tKnLEPnAyL9CWswcqBp62uAG96Fes5fKyxSVW1Lz5/BRSuu6FkCAZdiPAvIMm
+3tdNVhZrEXpROmP+W27ljMmIVs4BcenfTFoziDKY9EB0Uz+gNx1kKt/rKhpWhnp
DTaJ604DFDmq7CNZde+VnlTZeiF85odXXd6YjEjsW2/UT3dTkw7BBjtYf06LYZCu
8+xtPQatQMpOvWvRY+qndLhqWLA1ay1IF8QpQmB6UHPlVhmkXwUBYqKJG3f5g3v4
+2Mwx+Y72ddjOjloDu6VQtvhxtW2nfX3s4q9G/9BpVoGco9SPUCzdb2XxVo70RpB
Wv4DbEGheoKqGTrW2kGonHdTJjVdzJgNRwFANr2lVu+SYGl04NVR11rttqeGfQxu
+Rey0zXolqroyh5IXTwAHZTSX1Qwur2afg7zS8GNkfcln6GPhryS+1XVDRS1Tppk
T3SmIH93YNMJbnQEhLsHopFOBoAu8IHnM9yvgvaZ4kejXagkPORRdTITetmW19Lu
qXwYq+7vA4kpZRacUlV3IQOt5fOGitsw2ck9CNQcjPjzbl6x2H7Fw8ZG1u0u6FTT
5jA+7Lve94wJKB32NkpvB6rdHdFTvDlpd1Lnl8wDK7cYNFgv/AZxjfNDqUIfdciG
cB5PKvKFuVg=
=gNe+
-----END PGP SIGNATURE-----

« Back to bulletins