Bug 13355 - dovecot new security issue CVE-2014-3430
Summary: dovecot new security issue CVE-2014-3430
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/599083/
Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2014-05-09 23:10 CEST by David Walser
Modified: 2014-05-17 02:46 CEST (History)
5 users (show)

See Also:
Source RPM: dovecot-2.2.6-3.mga5.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2014-05-09 23:10:50 CEST
A CVE has been assigned for a DoS security issue in Dovecot:
http://openwall.com/lists/oss-security/2014/05/09/8

More details and links to upstream commits to fix this are in the CVE request:
http://openwall.com/lists/oss-security/2014/05/09/4

It will also be fixed in 2.2.13 and possibly 2.1.18 (if it's released).

Mageia 3 and Mageia 4 are also affected.

Reproducible: 

Steps to Reproduce:
David Walser 2014-05-09 23:11:03 CEST

Whiteboard: (none) => MGA4TOO, MGA3TOO

Comment 1 David Walser 2014-05-12 19:46:59 CEST
Dovecot 2.2.13 has been released on May 11, fixing this issue:
http://www.dovecot.org/list/dovecot-news/2014-May/000273.html
Comment 2 Oden Eriksson 2014-05-13 14:32:10 CEST
fixed with dovecot-2.1.15-2.1.mga3, dovecot-2.2.6-2.2.mga4 & dovecot-2.2.13-1.mga5.

CC: (none) => oe

Comment 3 David Walser 2014-05-13 14:41:34 CEST
Thanks Oden!

Advisory:
========================

Updated dovecot packages fix security vulnerability:

Dovecot before 2.2.13 is vulnerable to a DoS attack against imap/pop3-login
processes. If SSL/TLS handshake was started but wasn't finished, the login
process attempted to eventually forcibly disconnect the client, but failed
to do it correctly. This could have left the connections hanging around for
a long time (CVE-2014-3430).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3430
http://permalink.gmane.org/gmane.mail.imap.dovecot/77499
http://www.dovecot.org/list/dovecot-news/2014-May/000273.html
http://openwall.com/lists/oss-security/2014/05/09/8
========================

Updated packages in core/updates_testing:
========================
dovecot-2.1.15-2.1.mga3
dovecot-pigeonhole-2.1.15-2.1.mga3
dovecot-pigeonhole-devel-2.1.15-2.1.mga3
dovecot-plugins-pgsql-2.1.15-2.1.mga3
dovecot-plugins-mysql-2.1.15-2.1.mga3
dovecot-plugins-ldap-2.1.15-2.1.mga3
dovecot-plugins-gssapi-2.1.15-2.1.mga3
dovecot-plugins-sqlite-2.1.15-2.1.mga3
dovecot-devel-2.1.15-2.1.mga3
dovecot-2.2.6-2.2.mga4
dovecot-pigeonhole-2.2.6-2.2.mga4
dovecot-pigeonhole-devel-2.2.6-2.2.mga4
dovecot-plugins-pgsql-2.2.6-2.2.mga4
dovecot-plugins-mysql-2.2.6-2.2.mga4
dovecot-plugins-ldap-2.2.6-2.2.mga4
dovecot-plugins-gssapi-2.2.6-2.2.mga4
dovecot-plugins-sqlite-2.2.6-2.2.mga4
dovecot-devel-2.2.6-2.2.mga4

from SRPMS:
dovecot-2.1.15-2.1.mga3.src.rpm
dovecot-2.2.6-2.2.mga4.src.rpm

CC: (none) => mitya
Version: Cauldron => 4
Assignee: mitya => qa-bugs
Whiteboard: MGA4TOO, MGA3TOO => MGA3TOO

Comment 4 claire robinson 2014-05-13 19:12:17 CEST
Testing complete mga4 64

Basic testing only. Use ctrl+] to get the telnet prompt in a telnet session.

# service dovecot start
Redirecting to /bin/systemctl start dovecot.service

# service dovecot status
Redirecting to /bin/systemctl status dovecot.service
dovecot.service - Dovecot IMAP/POP3 email server
   Loaded: loaded (/usr/lib/systemd/system/dovecot.service; enabled)
   Active: active (running) since Tue 2014-05-13 18:04:33 BST; 5s ago
 Main PID: 14150 (dovecot)
   CGroup: /system.slice/dovecot.service
           ââ14150 /usr/sbin/dovecot -F
           ââ14162 dovecot/anvil
           ââ14163 dovecot/log
           ââ14171 dovecot/config

systemd[1]: Started Dovecot IMAP/POP3 email server.
dovecot[13062]: master: Dovecot v2.2.6 starting up (core dumps disabled)

# doveconf protocols listen
protocols = imap pop3 lmtp
listen = *

# telnet localhost 143
Trying 127.0.0.1...
Connected to computer.athome.net (127.0.0.1).
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN] Dovecot ready.
^]
telnet> close
Connection closed.

# telnet localhost 110
Trying 127.0.0.1...
Connected to computer.athome.net (127.0.0.1).
Escape character is '^]'.
+OK Dovecot ready.
^]
telnet> close
Connection closed.

Whiteboard: MGA3TOO => MGA3TOO has_procedure mga4-64-ok

Comment 5 William Kenney 2014-05-14 21:49:57 CEST
(In reply to claire robinson from comment #4)

> Basic testing only. Use ctrl+] to get the telnet prompt in a telnet session.

Share with me how to open/start a telnet session.
Thanks

CC: (none) => wilcal.int

Comment 6 claire robinson 2014-05-14 22:42:42 CEST
Install any of krb5-appl-clients, heimdal-telnet, netkit-telnet to get telnet utility. To use it just do as I did in comment 4.
Comment 7 William Kenney 2014-05-14 22:52:49 CEST
(In reply to claire robinson from comment #6)

> Install any of krb5-appl-clients, heimdal-telnet, netkit-telnet to get
> telnet utility. To use it just do as I did in comment 4.

Thanks, I'll be poke'n at this between now and the meeting tomorrow.
It's been a VERY long time since I've tinkered with telnet.
Comment 8 William Kenney 2014-05-15 18:13:14 CEST
In VirtualBox, M4, KDE, 32-bit

Package(s) under test:
dovecot krb5-appl-clients

default install of dovecot

[root@localhost wilcal]# urpmi dovecot
Package dovecot-2.2.6-2.1.mga4.i586 is already installed
[root@localhost wilcal]# urpmi krb5-appl-clients
Package krb5-appl-clients-1.0.3-3.mga4.i586 is already installed

dovecot and telnet respond the same as proceedure in Comment 4

install dovecot from updates_testing

[root@localhost wilcal]# urpmi dovecot
Package dovecot-2.2.6-2.2.mga4.i586 is already installed

dovecot and telnet respond the same as proceedure in Comment 4

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64

Whiteboard: MGA3TOO has_procedure mga4-64-ok => MGA3TOO has_procedure mga4-32-ok mga4-64-ok

Comment 9 William Kenney 2014-05-15 18:35:53 CEST
In VirtualBox, M3, KDE, 32-bit

Package(s) under test:
dovecot krb5-appl-clients

default install of dovecot

[root@localhost wilcal]# urpmi dovecot
Package dovecot-2.1.15-2.mga3.i586 is already installed
[root@localhost wilcal]# urpmi krb5-appl-clients
Package krb5-appl-clients-1.0.3-2.mga3.i586 is already installed

dovecot and telnet respond the same as proceedure in Comment 4

install dovecot from updates_testing

[root@localhost wilcal]# urpmi dovecot
Package dovecot-2.1.15-2.1.mga3.i586 is already installed

dovecot and telnet respond the same as proceedure in Comment 4

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64

Whiteboard: MGA3TOO has_procedure mga4-32-ok mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga4-32-ok mga4-64-ok

Comment 10 William Kenney 2014-05-15 18:51:34 CEST
In VirtualBox, M3, KDE, 64-bit

Package(s) under test:
dovecot krb5-appl-clients

default install of dovecot

[root@localhost wilcal]# urpmi dovecot
Package dovecot-2.1.15-2.mga3.x86_64 is already installed
[root@localhost wilcal]# urpmi krb5-appl-clients
Package krb5-appl-clients-1.0.3-2.mga3.x86_64 is already installed

dovecot and telnet respond the same as proceedure in Comment 4

install dovecot from updates_testing

[root@localhost wilcal]# urpmi dovecot
Package dovecot-2.1.15-2.1.mga3.x86_64 is already installed

dovecot and telnet respond the same as proceedure in Comment 4

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64

Whiteboard: MGA3TOO has_procedure mga3-32-ok mga4-32-ok mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok

Comment 11 William Kenney 2014-05-15 18:52:04 CEST
Testing complete for mga3 32-bit & 64-bit
Testing complete for mga4 32-bit & 64-bit
Validating the update.
Could someone from the sysadmin team push this to updates.
Thanks

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 12 David Walser 2014-05-16 19:25:01 CEST
Mandriva has issued an advisory for this today (May 16):
http://www.mandriva.com/en/support/security/advisories/mbs1/MDVSA-2014:099/

URL: (none) => http://lwn.net/Vulnerabilities/599083/

Comment 13 Thomas Backlund 2014-05-17 02:46:26 CEST
advisory added.

update pushed:
http://advisories.mageia.org/MGASA-2014-0223.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED
Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok advisory


Note You need to log in before you can comment on or make changes to this bug.