Fedora has issued an advisory on November 14: https://lists.fedoraproject.org/pipermail/package-announce/2015-November/171657.html The issue is fixed in version 2.2.19. Cauldron and Mageia 5 are affected. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA5TOO
Updated packages uploaded for Mageia 5 and Cauldron. Advisory: ======================== Updated dovecot packages fix security vulnerability: A buffer overflow may occur when handling pop3_deleted_flag setting. This can lead to crashing POP3 sessions in normal use. No CVE for now. References: https://lists.fedoraproject.org/pipermail/package-announce/2015-November/171657.html http://hg.dovecot.org/dovecot-2.2/rev/05e0700daea3 ======================== Updated packages in core/updates_testing: ======================== dovecot-2.2.13-5.1.mga5 dovecot-pigeonhole-2.2.13-5.1.mga5 dovecot-pigeonhole-devel-2.2.13-5.1.mga5 dovecot-plugins-pgsql-2.2.13-5.1.mga5 dovecot-plugins-mysql-2.2.13-5.1.mga5 dovecot-plugins-ldap-2.2.13-5.1.mga5 dovecot-plugins-gssapi-2.2.13-5.1.mga5 dovecot-plugins-sqlite-2.2.13-5.1.mga5 dovecot-devel-2.2.13-5.1.mga5 dovecot-debuginfo-2.2.13-5.1.mga5 dovecot-2.2.19-1.mga6 dovecot-pigeonhole-2.2.19-1.mga6 dovecot-pigeonhole-devel-2.2.19-1.mga6 dovecot-plugins-pgsql-2.2.19-1.mga6 dovecot-plugins-mysql-2.2.19-1.mga6 dovecot-plugins-ldap-2.2.19-1.mga6 dovecot-plugins-gssapi-2.2.19-1.mga6 dovecot-plugins-sqlite-2.2.19-1.mga6 dovecot-devel-2.2.19-1.mga6 dovecot-debuginfo-2.2.19-1.mga6 from SRPMS: dovecot-2.2.13-5.1.mga5.src.rpm dovecot-2.2.19-1.mga6.src.rpm
Status: NEW => ASSIGNEDAssignee: yann.cantin => qa-bugsWhiteboard: MGA5TOO => MGA5TOO advisory
Thanks Yann! Note that the advisory tag is for when an advisory has been committed to SVN.
CC: (none) => yann.cantinVersion: Cauldron => 5Whiteboard: MGA5TOO advisory => (none)
In VirtualBox, M5, KDE, 32-bit Tested per procedure in 13355 Package(s) under test: dovecot default install of dovecot [root@localhost wilcal]# urpmi dovecot Package dovecot-2.2.13-5.mga5.i586 is already installed [root@localhost wilcal]# service dovecot start Redirecting to /bin/systemctl start dovecot.service [root@localhost wilcal]# service dovecot status Redirecting to /bin/systemctl status dovecot.service â dovecot.service - Dovecot IMAP/POP3 email server Loaded: loaded (/usr/lib/systemd/system/dovecot.service; enabled) Active: active (running) since Wed 2015-11-18 08:19:48 PST; 6min ago Main PID: 2704 (dovecot) CGroup: /system.slice/dovecot.service ââ2704 /usr/sbin/dovecot -F ââ2710 dovecot/anvil ââ2711 dovecot/log Nov 18 08:19:48 localhost dovecot[2704]: master: Dovecot v2.2.13 starting up for imap, pop3, lmtp (core dumps disabled) Nov 18 08:19:48 localhost dovecot[2711]: ssl-params: Generating SSL parameters Nov 18 08:19:55 localhost dovecot[2711]: ssl-params: SSL parameters regeneration completed Nov 18 08:21:32 localhost dovecot[2711]: imap-login: Disconnected: Too many invalid commands (no auth attempts in 75 secs): user=<>, rip=127.0.0.1...7AB/AAAB> Nov 18 08:23:44 localhost dovecot[2711]: pop3-login: Disconnected (no auth attempts in 104 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, secured, ...ggB/AAAB> Hint: Some lines were ellipsized, use -l to show in full. [root@localhost wilcal]# doveconf protocols listen protocols = imap pop3 lmtp listen = * [root@localhost wilcal]# telnet localhost 143 Trying 127.0.0.1... Connected to localhost (127.0.0.1). Escape character is '^]'. * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN] Dovecot ready. ^] telnet> close Connection closed. install dovecot from updates_testing [root@localhost wilcal]# urpmi dovecot Package dovecot-2.2.13-5.1.mga5.i586 is already installed [root@localhost wilcal]# service dovecot start Redirecting to /bin/systemctl start dovecot.service [root@localhost wilcal]# service dovecot status Redirecting to /bin/systemctl status dovecot.service â dovecot.service - Dovecot IMAP/POP3 email server Loaded: loaded (/usr/lib/systemd/system/dovecot.service; enabled) Active: active (running) since Wed 2015-11-18 08:29:26 PST; 36s ago Main PID: 3301 (dovecot) CGroup: /system.slice/dovecot.service ââ3301 /usr/sbin/dovecot -F ââ3317 dovecot/anvil ââ3318 dovecot/log ââ3321 dovecot/config Nov 18 08:29:26 localhost dovecot[3301]: master: Dovecot v2.2.13 starting up for imap, pop3, lmtp (core dumps disabled) [root@localhost wilcal]# doveconf protocols listen protocols = imap pop3 lmtp listen = * [root@localhost wilcal]# telnet localhost 143 Trying 127.0.0.1... Connected to localhost (127.0.0.1). Escape character is '^]'. * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN] Dovecot ready. ^] telnet> close Connection closed. [root@localhost wilcal]# Updated dovecot works
CC: (none) => wilcal.int
In VirtualBox, M5, KDE, 64-bit Tested per procedure in 13355 Package(s) under test: dovecot default install of dovecot root@localhost wilcal]# urpmi dovecot Package dovecot-2.2.13-5.mga5.x86_64 is already installed [root@localhost wilcal]# service dovecot start Redirecting to /bin/systemctl start dovecot.service [root@localhost wilcal]# service dovecot status Redirecting to /bin/systemctl status dovecot.service â dovecot.service - Dovecot IMAP/POP3 email server Loaded: loaded (/usr/lib/systemd/system/dovecot.service; enabled) Active: active (running) since Wed 2015-11-18 09:07:16 PST; 8s ago Main PID: 2089 (dovecot) CGroup: /system.slice/dovecot.service ââ2089 /usr/sbin/dovecot -F ââ2095 dovecot/anvil ââ2096 dovecot/log ââ2099 dovecot/config Nov 18 09:07:16 localhost dovecot[2089]: master: Dovecot v2.2.13 starting up for imap, pop3, lmtp (core dumps disabled) Nov 18 09:07:16 localhost dovecot[2096]: ssl-params: Generating SSL parameters Nov 18 09:07:16 localhost dovecot[2096]: ssl-params: SSL parameters regeneration completed [root@localhost wilcal]# telnet localhost 143 Trying 127.0.0.1... Connected to localhost (127.0.0.1). Escape character is '^]'. * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN] Dovecot ready. ^] telnet> close Connection closed. install dovecot from updates_testing [root@localhost wilcal]# urpmi dovecot Package dovecot-2.2.13-5.1.mga5.x86_64 is already installed [root@localhost wilcal]# service dovecot start Redirecting to /bin/systemctl start dovecot.service [root@localhost wilcal]# service dovecot status Redirecting to /bin/systemctl status dovecot.service â dovecot.service - Dovecot IMAP/POP3 email server Loaded: loaded (/usr/lib/systemd/system/dovecot.service; enabled) Active: active (running) since Wed 2015-11-18 09:10:47 PST; 47s ago Main PID: 2490 (dovecot) CGroup: /system.slice/dovecot.service ââ2490 /usr/sbin/dovecot -F ââ2494 dovecot/anvil ââ2495 dovecot/log ââ2498 dovecot/config Nov 18 09:10:47 localhost dovecot[2490]: master: Dovecot v2.2.13 starting up for imap, pop3, lmtp (core dumps disabled) [root@localhost wilcal]# telnet localhost 143 Trying 127.0.0.1... Connected to localhost (127.0.0.1). Escape character is '^]'. * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN] Dovecot ready. ^] telnet> close Connection closed. Updated dovecot works
Looks good to me. What you say David?
(In reply to William Kenney from comment #5) > Looks good to me. What you say David? Yep, thanks.
This update works fine. Testing complete for MGA5, 32-bit & 64-bit Validating the update. Could someone from the sysadmin team push to updates. Thanks
Keywords: (none) => validated_updateWhiteboard: (none) => MGA5-32-OK MGA5-64-OKCC: (none) => sysadmin-bugs
CC: (none) => davidwhodginsWhiteboard: MGA5-32-OK MGA5-64-OK => MGA5-32-OK MGA5-64-OK advisory
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0452.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED