Bug 19885

Summary:	dovecot new security issues CVE-2016-8652 and CVE-2017-2669
Product:	Mageia	Reporter:	David Walser <luigiwalser>
Component:	Security	Assignee:	All Packagers <pkg-bugs>
Status:	RESOLVED FIXED	QA Contact:	Sec team <security>
Severity:	major
Priority:	Normal	CC:	marja11
Version:	Cauldron
Target Milestone:	---
Hardware:	All
OS:	Linux
URL:	https://lwn.net/Vulnerabilities/709985/
Whiteboard:
Source RPM:	dovecot-2.2.25-2.mga6.src.rpm	CVE:
Status comment:

Description David Walser 2016-12-02 15:07:35 CET

A security issue fixed upstream in dovecot has been announced:
http://openwall.com/lists/oss-security/2016/12/02/4

It says it's fixed in 2.2.27.1rc1, but doesn't give a link to a commit that fixed it.  It does give a way to mitigate the issue.

We should update Cauldron to 2.2.27 (or 2.2.27.1, whatever they end up calling it, I'm not sure the .1 wasn't a typo since only 2.2.27rc1 has been announced upstream) when it's available.  We'll also need to wait for a compatible pigeonhole release, as it needs to be updated to be compatible with dovecot > 2.2.25.  Keep an eye on their mailing list:
http://www.dovecot.org/list/dovecot-news/

Hopefully a patch will become available for Mageia 5 (if it's affected).

Comment 1 David Walser 2016-12-04 16:24:35 CET

2.2.27 is out, but the updated pigeonhole hasn't been released yet:
http://www.dovecot.org/list/dovecot-news/2016-December/000333.html

Comment 2 Marja Van Waes 2016-12-05 11:42:46 CET

Assigning to all packagers collectively, since there is no registered maintainer for this package.

Status comment: (none) => Mga5 might be affected, too
CC: (none) => marja11
Assignee: bugsquad => pkg-bugs

Comment 3 David Walser 2016-12-05 20:09:27 CET

Mageia 5 is not affected:
http://openwall.com/lists/oss-security/2016/12/05/12

Comment 4 David Walser 2016-12-22 17:40:45 CET

Fedora has issued an advisory for this today (December 22):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/P3YBFOJU7UF6GOOMMMQLKEB42EGP7LQW/

I still don't see an updated pigeonhole upstream for 2.2.27.

URL: (none) => https://lwn.net/Vulnerabilities/709985/
Severity: normal => major

David Walser 2016-12-22 17:41:18 CET

Status comment: Mga5 might be affected, too => (none)

Comment 5 David Walser 2017-04-14 21:33:41 CEST

Ubuntu has issued an advisory on April 10:
https://www.ubuntu.com/usn/usn-3258-1/

The upstream fix is linked from:
http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-2669.html

Mageia 5 is not affected.

Summary: dovecot new security issue CVE-2016-8652 => dovecot new security issues CVE-2016-8652 and CVE-2017-2669

Comment 6 David Walser 2017-04-14 21:46:54 CEST

Note that Ubuntu had to issue a regression fix:
https://www.ubuntu.com/usn/usn-3258-2/

Comment 7 David Walser 2017-04-14 22:28:54 CEST

Some upstream references for dovecot 2.2.29.1, which should fix all this.
https://www.dovecot.org/list/dovecot-news/2017-April/000341.html
https://www.dovecot.org/list/dovecot-news/2017-April/000342.html
https://www.dovecot.org/list/dovecot-news/2017-April/000344.html
https://www.dovecot.org/list/dovecot-news/2017-April/000343.html

Freeze push requested for Cauldron.

Comment 8 David Walser 2017-04-14 22:54:11 CEST

dovecot-2.2.29.1-1.mga6 uploaded for Cauldron.

Status: NEW => RESOLVED
Resolution: (none) => FIXED