| Summary: | dovecot new security issue fixed upstream in 2.2.19 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | davidwhodgins, sysadmin-bugs, wilcal.int, yann.cantin |
| Version: | 5 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/664643/ | ||
| Whiteboard: | MGA5-32-OK MGA5-64-OK advisory | ||
| Source RPM: | dovecot-2.2.18-1.mga6.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2015-11-16 23:11:26 CET
David Walser
2015-11-16 23:11:32 CET
Whiteboard:
(none) =>
MGA5TOO Updated packages uploaded for Mageia 5 and Cauldron. Advisory: ======================== Updated dovecot packages fix security vulnerability: A buffer overflow may occur when handling pop3_deleted_flag setting. This can lead to crashing POP3 sessions in normal use. No CVE for now. References: https://lists.fedoraproject.org/pipermail/package-announce/2015-November/171657.html http://hg.dovecot.org/dovecot-2.2/rev/05e0700daea3 ======================== Updated packages in core/updates_testing: ======================== dovecot-2.2.13-5.1.mga5 dovecot-pigeonhole-2.2.13-5.1.mga5 dovecot-pigeonhole-devel-2.2.13-5.1.mga5 dovecot-plugins-pgsql-2.2.13-5.1.mga5 dovecot-plugins-mysql-2.2.13-5.1.mga5 dovecot-plugins-ldap-2.2.13-5.1.mga5 dovecot-plugins-gssapi-2.2.13-5.1.mga5 dovecot-plugins-sqlite-2.2.13-5.1.mga5 dovecot-devel-2.2.13-5.1.mga5 dovecot-debuginfo-2.2.13-5.1.mga5 dovecot-2.2.19-1.mga6 dovecot-pigeonhole-2.2.19-1.mga6 dovecot-pigeonhole-devel-2.2.19-1.mga6 dovecot-plugins-pgsql-2.2.19-1.mga6 dovecot-plugins-mysql-2.2.19-1.mga6 dovecot-plugins-ldap-2.2.19-1.mga6 dovecot-plugins-gssapi-2.2.19-1.mga6 dovecot-plugins-sqlite-2.2.19-1.mga6 dovecot-devel-2.2.19-1.mga6 dovecot-debuginfo-2.2.19-1.mga6 from SRPMS: dovecot-2.2.13-5.1.mga5.src.rpm dovecot-2.2.19-1.mga6.src.rpm Status:
NEW =>
ASSIGNED Thanks Yann! Note that the advisory tag is for when an advisory has been committed to SVN. CC:
(none) =>
yann.cantin In VirtualBox, M5, KDE, 32-bit
Tested per procedure in 13355
Package(s) under test:
dovecot
default install of dovecot
[root@localhost wilcal]# urpmi dovecot
Package dovecot-2.2.13-5.mga5.i586 is already installed
[root@localhost wilcal]# service dovecot start
Redirecting to /bin/systemctl start dovecot.service
[root@localhost wilcal]# service dovecot status
Redirecting to /bin/systemctl status dovecot.service
â dovecot.service - Dovecot IMAP/POP3 email server
Loaded: loaded (/usr/lib/systemd/system/dovecot.service; enabled)
Active: active (running) since Wed 2015-11-18 08:19:48 PST; 6min ago
Main PID: 2704 (dovecot)
CGroup: /system.slice/dovecot.service
ââ2704 /usr/sbin/dovecot -F
ââ2710 dovecot/anvil
ââ2711 dovecot/log
Nov 18 08:19:48 localhost dovecot[2704]: master: Dovecot v2.2.13 starting up for imap, pop3, lmtp (core dumps disabled)
Nov 18 08:19:48 localhost dovecot[2711]: ssl-params: Generating SSL parameters
Nov 18 08:19:55 localhost dovecot[2711]: ssl-params: SSL parameters regeneration completed
Nov 18 08:21:32 localhost dovecot[2711]: imap-login: Disconnected: Too many invalid commands (no auth attempts in 75 secs): user=<>, rip=127.0.0.1...7AB/AAAB>
Nov 18 08:23:44 localhost dovecot[2711]: pop3-login: Disconnected (no auth attempts in 104 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, secured, ...ggB/AAAB>
Hint: Some lines were ellipsized, use -l to show in full.
[root@localhost wilcal]# doveconf protocols listen
protocols = imap pop3 lmtp
listen = *
[root@localhost wilcal]# telnet localhost 143
Trying 127.0.0.1...
Connected to localhost (127.0.0.1).
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN] Dovecot ready.
^]
telnet> close
Connection closed.
install dovecot from updates_testing
[root@localhost wilcal]# urpmi dovecot
Package dovecot-2.2.13-5.1.mga5.i586 is already installed
[root@localhost wilcal]# service dovecot start
Redirecting to /bin/systemctl start dovecot.service
[root@localhost wilcal]# service dovecot status
Redirecting to /bin/systemctl status dovecot.service
â dovecot.service - Dovecot IMAP/POP3 email server
Loaded: loaded (/usr/lib/systemd/system/dovecot.service; enabled)
Active: active (running) since Wed 2015-11-18 08:29:26 PST; 36s ago
Main PID: 3301 (dovecot)
CGroup: /system.slice/dovecot.service
ââ3301 /usr/sbin/dovecot -F
ââ3317 dovecot/anvil
ââ3318 dovecot/log
ââ3321 dovecot/config
Nov 18 08:29:26 localhost dovecot[3301]: master: Dovecot v2.2.13 starting up for imap, pop3, lmtp (core dumps disabled)
[root@localhost wilcal]# doveconf protocols listen
protocols = imap pop3 lmtp
listen = *
[root@localhost wilcal]# telnet localhost 143
Trying 127.0.0.1...
Connected to localhost (127.0.0.1).
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN] Dovecot ready.
^]
telnet> close
Connection closed.
[root@localhost wilcal]#
Updated dovecot worksCC:
(none) =>
wilcal.int In VirtualBox, M5, KDE, 64-bit
Tested per procedure in 13355
Package(s) under test:
dovecot
default install of dovecot
root@localhost wilcal]# urpmi dovecot
Package dovecot-2.2.13-5.mga5.x86_64 is already installed
[root@localhost wilcal]# service dovecot start
Redirecting to /bin/systemctl start dovecot.service
[root@localhost wilcal]# service dovecot status
Redirecting to /bin/systemctl status dovecot.service
â dovecot.service - Dovecot IMAP/POP3 email server
Loaded: loaded (/usr/lib/systemd/system/dovecot.service; enabled)
Active: active (running) since Wed 2015-11-18 09:07:16 PST; 8s ago
Main PID: 2089 (dovecot)
CGroup: /system.slice/dovecot.service
ââ2089 /usr/sbin/dovecot -F
ââ2095 dovecot/anvil
ââ2096 dovecot/log
ââ2099 dovecot/config
Nov 18 09:07:16 localhost dovecot[2089]: master: Dovecot v2.2.13 starting up for imap, pop3, lmtp (core dumps disabled)
Nov 18 09:07:16 localhost dovecot[2096]: ssl-params: Generating SSL parameters
Nov 18 09:07:16 localhost dovecot[2096]: ssl-params: SSL parameters regeneration completed
[root@localhost wilcal]# telnet localhost 143
Trying 127.0.0.1...
Connected to localhost (127.0.0.1).
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN] Dovecot ready.
^]
telnet> close
Connection closed.
install dovecot from updates_testing
[root@localhost wilcal]# urpmi dovecot
Package dovecot-2.2.13-5.1.mga5.x86_64 is already installed
[root@localhost wilcal]# service dovecot start
Redirecting to /bin/systemctl start dovecot.service
[root@localhost wilcal]# service dovecot status
Redirecting to /bin/systemctl status dovecot.service
â dovecot.service - Dovecot IMAP/POP3 email server
Loaded: loaded (/usr/lib/systemd/system/dovecot.service; enabled)
Active: active (running) since Wed 2015-11-18 09:10:47 PST; 47s ago
Main PID: 2490 (dovecot)
CGroup: /system.slice/dovecot.service
ââ2490 /usr/sbin/dovecot -F
ââ2494 dovecot/anvil
ââ2495 dovecot/log
ââ2498 dovecot/config
Nov 18 09:10:47 localhost dovecot[2490]: master: Dovecot v2.2.13 starting up for imap, pop3, lmtp (core dumps disabled)
[root@localhost wilcal]# telnet localhost 143
Trying 127.0.0.1...
Connected to localhost (127.0.0.1).
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN] Dovecot ready.
^]
telnet> close
Connection closed.
Updated dovecot works
Looks good to me. What you say David? (In reply to William Kenney from comment #5) > Looks good to me. What you say David? Yep, thanks. This update works fine. Testing complete for MGA5, 32-bit & 64-bit Validating the update. Could someone from the sysadmin team push to updates. Thanks Keywords:
(none) =>
validated_update
Dave Hodgins
2015-11-19 17:20:31 CET
CC:
(none) =>
davidwhodgins An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0452.html Status:
ASSIGNED =>
RESOLVED |