[arch-security] [ASA-201504-31] dovecot: denial of service
rgacogne at archlinux.org
Wed Apr 29 08:41:29 UTC 2015
Arch Linux Security Advisory ASA-201504-31
Date : 2015-04-29
CVE-ID : CVE-2015-3420
Package : dovecot
Type : denial of service
Remote : Yes
Link : https://wiki.archlinux.org/index.php/CVE
The package dovecot before version 2.2.16-2 is vulnerable to a remote
denial of service.
Upgrade to 2.2.16-2.
# pacman -Syu "dovecot>=2.2.16-2"
The problem has been fixed upstream but no new version has been released
Dovecot <= 2.2.14 does not correctly handle SSL/TLS handshake failure in
the login process, asking OpenSSL to flush a connection that has already
been aborted. This results in a crash with some versions of OpenSSL
(most likely >= 1.0.2). A patch to OpenSSL has also been written to
handle more gracefully this situation, see references.
A remote unauthenticated attacker can cause a denial of service by
constantly connecting to Dovecot then causing a SSL/TLS handshake failure.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 801 bytes
Desc: OpenPGP digital signature
More information about the arch-security