ESB-2018.0948 - [Debian] dovecot: Multiple vulnerabilities 2018-04-03

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.0948
                          dovecot security update
                               3 April 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           dovecot
Publisher:         Debian
Operating System:  Debian GNU/Linux 7
Impact/Access:     Access Privileged Data -- Remote/Unauthenticated
                   Denial of Service      -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-15132 CVE-2017-15130 CVE-2017-14461

Reference:         ESB-2018.0622
                   ESB-2018.0328
                   ESB-2018.0328

Original Bulletin: 
   https://lists.debian.org/debian-lts-announce/2018/03/msg00036.html

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : dovecot
Version        : 1:2.1.7-7+deb7u2
CVE ID         : CVE-2017-14461 CVE-2017-15130 CVE-2017-15132


Several vulnerabilities have been discovered in the Dovecot email
server. The Common Vulnerabilities and Exposures project identifies the
following issues:

CVE-2017-14461

     Aleksandar Nikolic of Cisco Talos and 'flxflndy' discovered that
     Dovecot does not properly parse invalid email addresses, which may
     cause a crash or leak memory contents to an attacker.

CVE-2017-15130

     It was discovered that TLS SNI config lookups may lead to excessive
     memory usage, causing imap-login/pop3-login VSZ limit to be reached
     and the process restarted, resulting in a denial of service. Only
     Dovecot configurations containing local_name { } or local { }
     configuration blocks are affected.

CVE-2017-15132

     It was discovered that Dovecot contains a memory leak flaw in the
     login process on aborted SASL authentication.


For Debian 7 "Wheezy", these problems have been fixed in version
1:2.1.7-7+deb7u2.

We recommend that you upgrade your dovecot packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQJ8BAEBCgBmBQJav8+yXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2MjAxRkJGRkRCQkRFMDc4MjJFQUJCOTY5
NkZDQUMwRDM4N0I1ODQ3AAoJEJb8rA04e1hH4lQP/jad7JT6nxQQlIVzD0XwW9TJ
3v3zsJ9HKTBes6Cpk5uKqKOzHVlsLRyOJ22gnoKnasSJzL+xc8AwCXXUB5q15R5W
nG+WtFwWVj+y8S17DNtmroVoFApdMGV60hYMc8UnB9g3QRAtLjb4aMCZpgjtzQ7W
1nubR39RjVVColSTnR1Dbtt6OT042stPjafLqtuGc+xP8L1p9cI1ESALrFcsEC2z
Rh37s/r8nKlzrX2PohkCqtZdpIkRIvH6cLsvcvxLKuzVZQj498l7SKp7Xgk27CI+
toOfnkq8G/UW+vFDvPZr6XyHVRRmTujIKmE5SK3KA2z6Khpq39QYAXfhyZB8iYPq
lh/V5uNs+61Pn/+JUFva2L65AtahEPQ8Nu5oCtIxtYGFScXeBvkm5UbxCEP7kVXi
NKNBh1IMCnMNqY8AG6ibMPWCT/0k69/EWdpgwIczorWauR9myUk0eRKUBQdSBUMN
7UHnriRoHCvcBhugg6Z7HvHGSo4CiGhGRhg3kS4UCOwDGVr/dtjeq0BpWIt7ecvP
C86mKfb0llgMMmCY6hh1Py5gx9hj6l9MoTw+lgqckv/k81CT9Kg4gx0/P7nR2W+n
6q7RGxVPTnrKsr8U6bTJOdc7eJB2KSaJ6IebR87hHXFw5FIqkTZAp/mKm31gLOrt
S2Bd/rK+pxU2PORs1PHH
=gF+a
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWsLJ6ox+lLeg9Ub1AQi1bxAAlancxGidO+/C/rOUAQJrzijtBu0zA5+o
8IpFUE3GFiv7rMAFyBpf2y8U55aPsocHdqzGKFeQVXIP5aOhNwhnDKPoRZpeHe+o
aj3470SAPnKUQg3SmwgDTvVqjsXctEKB9TyIxeoth4zbiXbPDhDq7zEPE3CT8rqL
O8PYJ0VWaHp7Y96Im5DEu5NG1VaWVfQaQytXqdql1fNUw67p586w7NH+pChc0F20
hpx2PyhA9f1P1w4ZDqBrFroH62mUlq1pG5/F6WE2PeFeS7R2Ns6V79nj8g5kN5U5
OUf8Xjim7wIoa4PaDsG9zBebn9xvp7Du9VmETgU+PNASXtJ4rG+BR3PGF3a5uZyv
thakgNhO9rbpH+SzhOSuS0B4oVDP/64g7LCr0v0wQa5AHXua/RQ0o9yWHlAot2hL
3a68SGJuzn9wJyUEKUspd+5XZAV1mQwJn6DFLs81h3kqJ+8lG8eVktAtJlmfSI+9
MlXAV6ShbGvwB/cvyMIVhxk7CGC0Hs4+yDFnmtaNvCDziQ679g7in8nrhnVeU8XP
TKsy3RRpeFyNfrZMK1KlNAxCR4XuQUOvMJmfNK57ipRPUYZZbPfZpYcEHpRbC5vz
XZWjSSSxlzM8BTzGPRt+7phEnlQN1LaSEykQq/VvZQBchfGcZQvgSK1wP+NrcUAI
4xQivLLAEvA=
=ZUro
-----END PGP SIGNATURE-----

« Back to bulletins