[arch-security] [ASA-201504-31] dovecot: denial of service

Remi Gacogne rgacogne at archlinux.org
Wed Apr 29 08:41:29 UTC 2015


Arch Linux Security Advisory ASA-201504-31
==========================================

Severity: Low
Date    : 2015-04-29
CVE-ID  : CVE-2015-3420
Package : dovecot
Type    : denial of service
Remote  : Yes
Link    : https://wiki.archlinux.org/index.php/CVE

Summary
=======

The package dovecot before version 2.2.16-2 is vulnerable to a remote
denial of service.

Resolution
==========

Upgrade to 2.2.16-2.

# pacman -Syu "dovecot>=2.2.16-2"

The problem has been fixed upstream but no new version has been released
yet.

Workaround
==========

None.

Description
===========

Dovecot <= 2.2.14 does not correctly handle SSL/TLS handshake failure in
the login process, asking OpenSSL to flush a connection that has already
been aborted. This results in a crash with some versions of OpenSSL
(most likely >= 1.0.2). A patch to OpenSSL has also been written to
handle more gracefully this situation, see references.

Impact
======

A remote unauthenticated attacker can cause a denial of service by
constantly connecting to Dovecot then causing a SSL/TLS handshake failure.

References
==========

https://access.redhat.com/security/cve/CVE-2015-3420
https://bugs.archlinux.org/task/44757
http://seclists.org/oss-sec/2015/q2/288
http://dovecot.org/pipermail/dovecot/2015-April/100618.html
https://rt.openssl.org/Ticket/Display.html?id=3818&user=guest&pass=guest

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20150429/ca113537/attachment.asc>


More information about the arch-security mailing list