A CVE has been assigned for a DoS security issue in Dovecot: http://openwall.com/lists/oss-security/2014/05/09/8 More details and links to upstream commits to fix this are in the CVE request: http://openwall.com/lists/oss-security/2014/05/09/4 It will also be fixed in 2.2.13 and possibly 2.1.18 (if it's released). Mageia 3 and Mageia 4 are also affected. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA4TOO, MGA3TOO
Dovecot 2.2.13 has been released on May 11, fixing this issue: http://www.dovecot.org/list/dovecot-news/2014-May/000273.html
fixed with dovecot-2.1.15-2.1.mga3, dovecot-2.2.6-2.2.mga4 & dovecot-2.2.13-1.mga5.
CC: (none) => oe
Thanks Oden! Advisory: ======================== Updated dovecot packages fix security vulnerability: Dovecot before 2.2.13 is vulnerable to a DoS attack against imap/pop3-login processes. If SSL/TLS handshake was started but wasn't finished, the login process attempted to eventually forcibly disconnect the client, but failed to do it correctly. This could have left the connections hanging around for a long time (CVE-2014-3430). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3430 http://permalink.gmane.org/gmane.mail.imap.dovecot/77499 http://www.dovecot.org/list/dovecot-news/2014-May/000273.html http://openwall.com/lists/oss-security/2014/05/09/8 ======================== Updated packages in core/updates_testing: ======================== dovecot-2.1.15-2.1.mga3 dovecot-pigeonhole-2.1.15-2.1.mga3 dovecot-pigeonhole-devel-2.1.15-2.1.mga3 dovecot-plugins-pgsql-2.1.15-2.1.mga3 dovecot-plugins-mysql-2.1.15-2.1.mga3 dovecot-plugins-ldap-2.1.15-2.1.mga3 dovecot-plugins-gssapi-2.1.15-2.1.mga3 dovecot-plugins-sqlite-2.1.15-2.1.mga3 dovecot-devel-2.1.15-2.1.mga3 dovecot-2.2.6-2.2.mga4 dovecot-pigeonhole-2.2.6-2.2.mga4 dovecot-pigeonhole-devel-2.2.6-2.2.mga4 dovecot-plugins-pgsql-2.2.6-2.2.mga4 dovecot-plugins-mysql-2.2.6-2.2.mga4 dovecot-plugins-ldap-2.2.6-2.2.mga4 dovecot-plugins-gssapi-2.2.6-2.2.mga4 dovecot-plugins-sqlite-2.2.6-2.2.mga4 dovecot-devel-2.2.6-2.2.mga4 from SRPMS: dovecot-2.1.15-2.1.mga3.src.rpm dovecot-2.2.6-2.2.mga4.src.rpm
CC: (none) => mityaVersion: Cauldron => 4Assignee: mitya => qa-bugsWhiteboard: MGA4TOO, MGA3TOO => MGA3TOO
Testing complete mga4 64 Basic testing only. Use ctrl+] to get the telnet prompt in a telnet session. # service dovecot start Redirecting to /bin/systemctl start dovecot.service # service dovecot status Redirecting to /bin/systemctl status dovecot.service dovecot.service - Dovecot IMAP/POP3 email server Loaded: loaded (/usr/lib/systemd/system/dovecot.service; enabled) Active: active (running) since Tue 2014-05-13 18:04:33 BST; 5s ago Main PID: 14150 (dovecot) CGroup: /system.slice/dovecot.service ââ14150 /usr/sbin/dovecot -F ââ14162 dovecot/anvil ââ14163 dovecot/log ââ14171 dovecot/config systemd[1]: Started Dovecot IMAP/POP3 email server. dovecot[13062]: master: Dovecot v2.2.6 starting up (core dumps disabled) # doveconf protocols listen protocols = imap pop3 lmtp listen = * # telnet localhost 143 Trying 127.0.0.1... Connected to computer.athome.net (127.0.0.1). Escape character is '^]'. * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN] Dovecot ready. ^] telnet> close Connection closed. # telnet localhost 110 Trying 127.0.0.1... Connected to computer.athome.net (127.0.0.1). Escape character is '^]'. +OK Dovecot ready. ^] telnet> close Connection closed.
Whiteboard: MGA3TOO => MGA3TOO has_procedure mga4-64-ok
(In reply to claire robinson from comment #4) > Basic testing only. Use ctrl+] to get the telnet prompt in a telnet session. Share with me how to open/start a telnet session. Thanks
CC: (none) => wilcal.int
Install any of krb5-appl-clients, heimdal-telnet, netkit-telnet to get telnet utility. To use it just do as I did in comment 4.
(In reply to claire robinson from comment #6) > Install any of krb5-appl-clients, heimdal-telnet, netkit-telnet to get > telnet utility. To use it just do as I did in comment 4. Thanks, I'll be poke'n at this between now and the meeting tomorrow. It's been a VERY long time since I've tinkered with telnet.
In VirtualBox, M4, KDE, 32-bit Package(s) under test: dovecot krb5-appl-clients default install of dovecot [root@localhost wilcal]# urpmi dovecot Package dovecot-2.2.6-2.1.mga4.i586 is already installed [root@localhost wilcal]# urpmi krb5-appl-clients Package krb5-appl-clients-1.0.3-3.mga4.i586 is already installed dovecot and telnet respond the same as proceedure in Comment 4 install dovecot from updates_testing [root@localhost wilcal]# urpmi dovecot Package dovecot-2.2.6-2.2.mga4.i586 is already installed dovecot and telnet respond the same as proceedure in Comment 4 Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
Whiteboard: MGA3TOO has_procedure mga4-64-ok => MGA3TOO has_procedure mga4-32-ok mga4-64-ok
In VirtualBox, M3, KDE, 32-bit Package(s) under test: dovecot krb5-appl-clients default install of dovecot [root@localhost wilcal]# urpmi dovecot Package dovecot-2.1.15-2.mga3.i586 is already installed [root@localhost wilcal]# urpmi krb5-appl-clients Package krb5-appl-clients-1.0.3-2.mga3.i586 is already installed dovecot and telnet respond the same as proceedure in Comment 4 install dovecot from updates_testing [root@localhost wilcal]# urpmi dovecot Package dovecot-2.1.15-2.1.mga3.i586 is already installed dovecot and telnet respond the same as proceedure in Comment 4 Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
Whiteboard: MGA3TOO has_procedure mga4-32-ok mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga4-32-ok mga4-64-ok
In VirtualBox, M3, KDE, 64-bit Package(s) under test: dovecot krb5-appl-clients default install of dovecot [root@localhost wilcal]# urpmi dovecot Package dovecot-2.1.15-2.mga3.x86_64 is already installed [root@localhost wilcal]# urpmi krb5-appl-clients Package krb5-appl-clients-1.0.3-2.mga3.x86_64 is already installed dovecot and telnet respond the same as proceedure in Comment 4 install dovecot from updates_testing [root@localhost wilcal]# urpmi dovecot Package dovecot-2.1.15-2.1.mga3.x86_64 is already installed dovecot and telnet respond the same as proceedure in Comment 4 Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
Whiteboard: MGA3TOO has_procedure mga3-32-ok mga4-32-ok mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok
Testing complete for mga3 32-bit & 64-bit Testing complete for mga4 32-bit & 64-bit Validating the update. Could someone from the sysadmin team push this to updates. Thanks
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Mandriva has issued an advisory for this today (May 16): http://www.mandriva.com/en/support/security/advisories/mbs1/MDVSA-2014:099/
URL: (none) => http://lwn.net/Vulnerabilities/599083/
advisory added. update pushed: http://advisories.mageia.org/MGASA-2014-0223.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXEDWhiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok advisory