Upstream has issued an advisory on January 25: http://openwall.com/lists/oss-security/2018/01/25/4 The issue will be fixed in 2.2.34 and 2.3.1. The upstream commit to fix the issue is linked in the message above. Mageia 5 and Mageia 6 are also affected.
Whiteboard: (none) => MGA6TOO
Assigning to all packagers collectively, since there is no registered maintainer for this package.
CC: (none) => mageia, marja11Assignee: bugsquad => pkg-bugs
Assignee: pkg-bugs => mageia
I have uploaded a patched package for Mageia 5/6. Suggested advisory: ======================== Updated dovecote packages fix security vulnerabilities: A flaw was found in dovecot 2.0 up to 2.2.33 and 2.3.0. An abort of SASL authentication results in a memory leak in dovecot's auth client used by login processes. The leak has impact in high performance configuration where same login processes are reused and can cause the process to crash due to memory exhaustion. (CVE-2017-15132). References: ======================== http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15132 Updated packages in core/updates_testing: ======================== mga5: dovecot-2.2.13-5.4.mga5 dovecot-pigeonhole-2.2.13-5.4.mga5 dovecot-pigeonhole-devel-2.2.13-5.4.mga5 dovecot-plugins-pgsql-2.2.13-5.4.mga5 dovecot-plugins-mysql-2.2.13-5.4.mga5 dovecot-plugins-ldap-2.2.13-5.4.mga5 dovecot-plugins-gssapi-2.2.13-5.4.mga5 dovecot-plugins-sqlite-2.2.13-5.4.mga5 dovecot-devel-2.2.13-5.4.mga5 mga6: dovecot-2.2.29.1-1.1.mga6 dovecot-pigeonhole-2.2.29.1-1.1.mga6 dovecot-pigeonhole-devel-2.2.29.1-1.1.mga6 dovecot-plugins-pgsql-2.2.29.1-1.1.mga6 dovecot-plugins-mysql-2.2.29.1-1.1.mga6 dovecot-plugins-ldap-2.2.29.1-1.1.mga6 dovecot-plugins-gssapi-2.2.29.1-1.1.mga6 dovecot-plugins-sqlite-2.2.29.1-1.1.mga6 dovecot-devel-2.2.29.1-1.1.mga6 dovecot-debuginfo-2.2.29.1-1.1.mga6 Source RPMs: dovecot-2.2.13-5.4.mga5.src.rpm dovecot-2.2.29.1-1.1.mga6.src.rpm
Assignee: mageia => qa-bugs
Version: Cauldron => 6Whiteboard: MGA6TOO => (none)CC: (none) => tmb
Please also include the URL in Comment 0 in the references.
Whiteboard: (none) => MGA5TOO
Installed and tested without issues. Tested using kmail/akonadi and k9/Android to access several GB of e-mails on the dovecot server. System: Mageia 6, x86_64, Intel CPU. $ uname -a Linux marte 4.14.15-desktop-2.mga6 #1 SMP Wed Jan 24 23:42:14 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux $ rpm -qa | grep dovecot | sort dovecot-2.2.29.1-1.1.mga6 dovecot-pigeonhole-2.2.29.1-1.1.mga6
CC: (none) => mageia
MGA5-32 on Dell Latitude D600 Xfce No insallation issues. Ref bug 17162 Comment 3 for testing At CLI: # systemctl start dovecot # systemctl -l status dovecot ● dovecot.service - Dovecot IMAP/POP3 email server Loaded: loaded (/usr/lib/systemd/system/dovecot.service; enabled) Active: active (running) since di 2018-01-30 16:26:52 CET; 19s ago Main PID: 6194 (dovecot) CGroup: /system.slice/dovecot.service ├─6194 /usr/sbin/dovecot -F ├─6221 dovecot/anvil ├─6222 dovecot/log ├─6223 dovecot/ssl-params ├─6224 dovecot/config └─6227 dovecot/ssl-params jan 30 16:26:57 xxxx.yyyy.zzzz dovecot[6194]: master: Dovecot v2.2.13 starting up for imap, pop3, lmtp (core dumps disabled) jan 30 16:27:08 xxxx.yyyy.zzzz dovecot[6222]: ssl-params: Generating SSL parameters # doveconf protocols listen protocols = imap pop3 lmtp listen = * # telnet localhost 143 Trying 127.0.0.1... Connected to localhost (127.0.0.1). Escape character is '^]'. * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN] Dovecot ready. close Connection closed by foreign host. Looks OK
CC: (none) => herman.viaeneWhiteboard: MGA5TOO => MGA5TOO MGA5-32-OK
A problem was found with the upstream fix and corrected in a new commit: http://openwall.com/lists/oss-security/2018/01/31/1
Keywords: (none) => feedback
new Advisory: I have uploaded a patched package for Mageia 5/6. Suggested advisory: ======================== Updated dovecote packages fix security vulnerabilities: A flaw was found in dovecot 2.0 up to 2.2.33 and 2.3.0. An abort of SASL authentication results in a memory leak in dovecot's auth client used by login processes. The leak has impact in high performance configuration where same login processes are reused and can cause the process to crash due to memory exhaustion. (CVE-2017-15132). References: ======================== http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15132 http://openwall.com/lists/oss-security/2018/01/25/4 http://openwall.com/lists/oss-security/2018/01/31/1 Updated packages in core/updates_testing: ======================== dovecot-2.2.13-5.6.mga5 dovecot-pigeonhole-2.2.13-5.6.mga5 dovecot-pigeonhole-devel-2.2.13-5.6.mga5 dovecot-plugins-pgsql-2.2.13-5.6.mga5 dovecot-plugins-mysql-2.2.13-5.6.mga5 dovecot-plugins-ldap-2.2.13-5.6.mga5 dovecot-plugins-gssapi-2.2.13-5.6.mga5 dovecot-plugins-sqlite-2.2.13-5.6.mga5 dovecot-devel-2.2.13-5.6.mga5 mga6: dovecot-2.2.29.1-1.2.mga6 dovecot-pigeonhole-2.2.29.1-1.2.mga6 dovecot-pigeonhole-devel-2.2.29.1-1.2.mga6 dovecot-plugins-pgsql-2.2.29.1-1.2.mga6 dovecot-plugins-mysql-2.2.29.1-1.2.mga6 dovecot-plugins-ldap-2.2.29.1-1.2.mga6 dovecot-plugins-gssapi-2.2.29.1-1.2.mga6 dovecot-plugins-sqlite-2.2.29.1-1.2.mga6 dovecot-devel-2.2.29.1-1.2.mga6 dovecot-debuginfo-2.2.29.1-1.2.mga6 Source RPMs: dovecot-2.2.13-5.6.mga5.src.rpm dovecot-2.2.29.1-1.2.mga6.src.rpm
Keywords: feedback => (none)Whiteboard: MGA5TOO MGA5-32-OK => MGA5TOO
Repeated tests as per Comment 5 above. OK
Whiteboard: MGA5TOO => MGA5TOO MGA5-32-OK
MGA6-32 on Dell Latitude D600 Mate No installation issues Same tests as above, same results.
Whiteboard: MGA5TOO MGA5-32-OK => MGA5TOO MGA5-32-OK MGA6-32-OK
Advisory committed to svn. Validating the update.
Keywords: (none) => advisory, validated_updateCC: (none) => davidwhodgins, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0114.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED