Bug 13355

Dovecot 2.2.13 has been released on May 11, fixing this issue:
http://www.dovecot.org/list/dovecot-news/2014-May/000273.html

fixed with dovecot-2.1.15-2.1.mga3, dovecot-2.2.6-2.2.mga4 & dovecot-2.2.13-1.mga5.

CC: (none) => oe

Thanks Oden!

Advisory:
========================

Updated dovecot packages fix security vulnerability:

Dovecot before 2.2.13 is vulnerable to a DoS attack against imap/pop3-login
processes. If SSL/TLS handshake was started but wasn't finished, the login
process attempted to eventually forcibly disconnect the client, but failed
to do it correctly. This could have left the connections hanging around for
a long time (CVE-2014-3430).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3430
http://permalink.gmane.org/gmane.mail.imap.dovecot/77499
http://www.dovecot.org/list/dovecot-news/2014-May/000273.html
http://openwall.com/lists/oss-security/2014/05/09/8
========================

Updated packages in core/updates_testing:
========================
dovecot-2.1.15-2.1.mga3
dovecot-pigeonhole-2.1.15-2.1.mga3
dovecot-pigeonhole-devel-2.1.15-2.1.mga3
dovecot-plugins-pgsql-2.1.15-2.1.mga3
dovecot-plugins-mysql-2.1.15-2.1.mga3
dovecot-plugins-ldap-2.1.15-2.1.mga3
dovecot-plugins-gssapi-2.1.15-2.1.mga3
dovecot-plugins-sqlite-2.1.15-2.1.mga3
dovecot-devel-2.1.15-2.1.mga3
dovecot-2.2.6-2.2.mga4
dovecot-pigeonhole-2.2.6-2.2.mga4
dovecot-pigeonhole-devel-2.2.6-2.2.mga4
dovecot-plugins-pgsql-2.2.6-2.2.mga4
dovecot-plugins-mysql-2.2.6-2.2.mga4
dovecot-plugins-ldap-2.2.6-2.2.mga4
dovecot-plugins-gssapi-2.2.6-2.2.mga4
dovecot-plugins-sqlite-2.2.6-2.2.mga4
dovecot-devel-2.2.6-2.2.mga4

from SRPMS:
dovecot-2.1.15-2.1.mga3.src.rpm
dovecot-2.2.6-2.2.mga4.src.rpm

CC: (none) => mitya
Version: Cauldron => 4
Assignee: mitya => qa-bugs
Whiteboard: MGA4TOO, MGA3TOO => MGA3TOO

Testing complete mga4 64

Basic testing only. Use ctrl+] to get the telnet prompt in a telnet session.

# service dovecot start
Redirecting to /bin/systemctl start dovecot.service

# service dovecot status
Redirecting to /bin/systemctl status dovecot.service
dovecot.service - Dovecot IMAP/POP3 email server
   Loaded: loaded (/usr/lib/systemd/system/dovecot.service; enabled)
   Active: active (running) since Tue 2014-05-13 18:04:33 BST; 5s ago
 Main PID: 14150 (dovecot)
   CGroup: /system.slice/dovecot.service
           ââ14150 /usr/sbin/dovecot -F
           ââ14162 dovecot/anvil
           ââ14163 dovecot/log
           ââ14171 dovecot/config

systemd[1]: Started Dovecot IMAP/POP3 email server.
dovecot[13062]: master: Dovecot v2.2.6 starting up (core dumps disabled)

# doveconf protocols listen
protocols = imap pop3 lmtp
listen = *

# telnet localhost 143
Trying 127.0.0.1...
Connected to computer.athome.net (127.0.0.1).
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN] Dovecot ready.
^]
telnet> close
Connection closed.

# telnet localhost 110
Trying 127.0.0.1...
Connected to computer.athome.net (127.0.0.1).
Escape character is '^]'.
+OK Dovecot ready.
^]
telnet> close
Connection closed.

Whiteboard: MGA3TOO => MGA3TOO has_procedure mga4-64-ok

(In reply to claire robinson from comment #4)

> Basic testing only. Use ctrl+] to get the telnet prompt in a telnet session.

Share with me how to open/start a telnet session.
Thanks

CC: (none) => wilcal.int

Install any of krb5-appl-clients, heimdal-telnet, netkit-telnet to get telnet utility. To use it just do as I did in comment 4.

(In reply to claire robinson from comment #6)

> Install any of krb5-appl-clients, heimdal-telnet, netkit-telnet to get
> telnet utility. To use it just do as I did in comment 4.

Thanks, I'll be poke'n at this between now and the meeting tomorrow.
It's been a VERY long time since I've tinkered with telnet.

In VirtualBox, M4, KDE, 32-bit

Package(s) under test:
dovecot krb5-appl-clients

default install of dovecot

[root@localhost wilcal]# urpmi dovecot
Package dovecot-2.2.6-2.1.mga4.i586 is already installed
[root@localhost wilcal]# urpmi krb5-appl-clients
Package krb5-appl-clients-1.0.3-3.mga4.i586 is already installed

dovecot and telnet respond the same as proceedure in Comment 4

install dovecot from updates_testing

[root@localhost wilcal]# urpmi dovecot
Package dovecot-2.2.6-2.2.mga4.i586 is already installed

dovecot and telnet respond the same as proceedure in Comment 4

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64

Whiteboard: MGA3TOO has_procedure mga4-64-ok => MGA3TOO has_procedure mga4-32-ok mga4-64-ok

In VirtualBox, M3, KDE, 32-bit

Package(s) under test:
dovecot krb5-appl-clients

default install of dovecot

[root@localhost wilcal]# urpmi dovecot
Package dovecot-2.1.15-2.mga3.i586 is already installed
[root@localhost wilcal]# urpmi krb5-appl-clients
Package krb5-appl-clients-1.0.3-2.mga3.i586 is already installed

dovecot and telnet respond the same as proceedure in Comment 4

install dovecot from updates_testing

[root@localhost wilcal]# urpmi dovecot
Package dovecot-2.1.15-2.1.mga3.i586 is already installed

dovecot and telnet respond the same as proceedure in Comment 4

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64

Whiteboard: MGA3TOO has_procedure mga4-32-ok mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga4-32-ok mga4-64-ok

In VirtualBox, M3, KDE, 64-bit

Package(s) under test:
dovecot krb5-appl-clients

default install of dovecot

[root@localhost wilcal]# urpmi dovecot
Package dovecot-2.1.15-2.mga3.x86_64 is already installed
[root@localhost wilcal]# urpmi krb5-appl-clients
Package krb5-appl-clients-1.0.3-2.mga3.x86_64 is already installed

dovecot and telnet respond the same as proceedure in Comment 4

install dovecot from updates_testing

[root@localhost wilcal]# urpmi dovecot
Package dovecot-2.1.15-2.1.mga3.x86_64 is already installed

dovecot and telnet respond the same as proceedure in Comment 4

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64

Whiteboard: MGA3TOO has_procedure mga3-32-ok mga4-32-ok mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok

Testing complete for mga3 32-bit & 64-bit
Testing complete for mga4 32-bit & 64-bit
Validating the update.
Could someone from the sysadmin team push this to updates.
Thanks

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Mandriva has issued an advisory for this today (May 16):
http://www.mandriva.com/en/support/security/advisories/mbs1/MDVSA-2014:099/

URL: (none) => http://lwn.net/Vulnerabilities/599083/

advisory added.

update pushed:
http://advisories.mageia.org/MGASA-2014-0223.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED
Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok advisory