Arch Linux Security Advisory ASA-201504-31 ========================================== Severity: Low Date : 2015-04-29 CVE-ID : CVE-2015-3420 Package : dovecot Type : denial of service Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE Summary ======= The package dovecot before version 2.2.16-2 is vulnerable to a remote denial of service. Resolution ========== Upgrade to 2.2.16-2. # pacman -Syu "dovecot>=2.2.16-2" The problem has been fixed upstream but no new version has been released yet. Workaround ========== None. Description =========== Dovecot <= 2.2.14 does not correctly handle SSL/TLS handshake failure in the login process, asking OpenSSL to flush a connection that has already been aborted. This results in a crash with some versions of OpenSSL (most likely >= 1.0.2). A patch to OpenSSL has also been written to handle more gracefully this situation, see references. Impact ====== A remote unauthenticated attacker can cause a denial of service by constantly connecting to Dovecot then causing a SSL/TLS handshake failure. References ========== https://access.redhat.com/security/cve/CVE-2015-3420 https://bugs.archlinux.org/task/44757 http://seclists.org/oss-sec/2015/q2/288 http://dovecot.org/pipermail/dovecot/2015-April/100618.html https://rt.openssl.org/Ticket/Display.html?id=3818&user=guest&pass=guest