[arch-security] [ASA-201504-31] dovecot: denial of service
Remi Gacogne
rgacogne at archlinux.org
Wed Apr 29 08:41:29 UTC 2015
Arch Linux Security Advisory ASA-201504-31
==========================================
Severity: Low
Date : 2015-04-29
CVE-ID : CVE-2015-3420
Package : dovecot
Type : denial of service
Remote : Yes
Link : https://wiki.archlinux.org/index.php/CVE
Summary
=======
The package dovecot before version 2.2.16-2 is vulnerable to a remote
denial of service.
Resolution
==========
Upgrade to 2.2.16-2.
# pacman -Syu "dovecot>=2.2.16-2"
The problem has been fixed upstream but no new version has been released
yet.
Workaround
==========
None.
Description
===========
Dovecot <= 2.2.14 does not correctly handle SSL/TLS handshake failure in
the login process, asking OpenSSL to flush a connection that has already
been aborted. This results in a crash with some versions of OpenSSL
(most likely >= 1.0.2). A patch to OpenSSL has also been written to
handle more gracefully this situation, see references.
Impact
======
A remote unauthenticated attacker can cause a denial of service by
constantly connecting to Dovecot then causing a SSL/TLS handshake failure.
References
==========
https://access.redhat.com/security/cve/CVE-2015-3420
https://bugs.archlinux.org/task/44757
http://seclists.org/oss-sec/2015/q2/288
http://dovecot.org/pipermail/dovecot/2015-April/100618.html
https://rt.openssl.org/Ticket/Display.html?id=3818&user=guest&pass=guest
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20150429/ca113537/attachment.asc>
More information about the arch-security
mailing list