Upstream has released versions 2.3.1 and 2.2.34 on February 28: https://www.dovecot.org/list/dovecot-news/2018-February/000371.html https://www.dovecot.org/list/dovecot-news/2018-February/000370.html They fix three security issues, one of which we just fixed in Bug 22468. Mageia 5 and Mageia 6 are also affected.
Status comment: (none) => Fixed upstream in 2.2.34 and 2.3.1Summary: dovecot new security issue CVE-2017-14461 and CVE-2017-15130 => dovecot new security issues CVE-2017-14461 and CVE-2017-15130Whiteboard: (none) => MGA6TOO
dovecot-2.3.0.1-1.mga7 uploaded for Cauldron by Stig-Ørjan.
Version: Cauldron => 6CC: (none) => smelrorWhiteboard: MGA6TOO => (none)
More info on the security issues: http://openwall.com/lists/oss-security/2018/03/01/2 http://openwall.com/lists/oss-security/2018/03/01/3
Advisory ======== Dovecot has been updated to version 2.2.34 to fix two security issues. CVE-2017-14461: This vulnerability comes in two flavors. A malicious party can send a specially crafted email to a vulnerable system, causing it to crash dovecot. In some systems, the mail can be stored into the mail system, causing crash every time it is being opened. CVE-2017-15130: If dovecot has been configured with local name or local net configuration blocks, SNI lookups can be used to trash memory with useless config by using random servernames. References ========== http://openwall.com/lists/oss-security/2018/03/01/2 http://openwall.com/lists/oss-security/2018/03/01/3 Files ===== Updated files in core/updates_testing: dovecot-2.2.34-1.mga6 dovecot-devel-2.2.34-1.mga6 dovecot-pigeonhole-2.2.34-1.mga6 dovecot-pigeonhole-devel-2.2.34-1.mga6 dovecot-plugins-gssapi-2.2.34-1.mga6 dovecot-plugins-ldap-2.2.34-1.mga6 dovecot-plugins-mysql-2.2.34-1.mga6 dovecot-plugins-pgsql-2.2.34-1.mga6 dovecot-plugins-sqlite-2.2.34-1.mga6 from dovecot-2.2.34-1.mga6.src.rpm
@ kekePower Can this bug be assigned to QA team?
Assignee: bugsquad => smelrorCC: (none) => marja11
(In reply to Marja van Waes from comment #4) > @ kekePower > > Can this bug be assigned to QA team? Yes. Done. Cheers, Stig
Assignee: smelror => qa-bugs
Advisory uploaded.
Keywords: (none) => advisory
Procedure bug 22468 comment 5
Keywords: (none) => has_procedure
Installed and tested without issues. Tested using kmail/akonadi/Mageia and k9/android to access GBs of e-mails on a dovecot server. System: Mageia 6, x86_64, Intel CPU. $ uname -a Linux marte 4.14.20-desktop-1.mga6 #1 SMP Sun Feb 18 01:22:02 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux $ rpm -qa | grep dovecot | sort dovecot-2.2.34-1.mga6 dovecot-pigeonhole-2.2.34-1.mga6 $ telnet localhost 143 Trying 127.0.0.1... Connected to localhost (127.0.0.1). Escape character is '^]'. * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN] Dovecot ready. ^] Connection closed. $ su Password: # systemctl status dovecot ● dovecot.service - Dovecot IMAP/POP3 email server Loaded: loaded (/usr/lib/systemd/system/dovecot.service; disabled; vendor preset: enabled) Active: active (running) since Sex 2018-03-02 15:49:57 WET; 4h 52min ago Docs: man:dovecot(1) http://wiki2.dovecot.org/ Process: 29779 ExecStop=/usr/bin/doveadm stop (code=exited, status=0/SUCCESS) Process: 29784 ExecStart=/usr/sbin/dovecot (code=exited, status=0/SUCCESS) Main PID: 29787 (dovecot) CPU: 2.715s CGroup: /system.slice/dovecot.service ├─ 4414 dovecot/imap-login ├─ 4494 dovecot/imap ├─19749 dovecot/imap-login ├─19751 dovecot/ssl-params ├─19753 dovecot/imap ├─29787 /usr/sbin/dovecot ├─29788 dovecot/anvil ├─29789 dovecot/log └─29792 dovecot/config <SNIP> # doveconf protocols listen protocols = imap listen = *, ::
CC: (none) => mageia
Debian has issued an advisory for this on March 2: https://www.debian.org/security/2018/dsa-4130
Adding OK from comprehensive test of PC LX in comment 8 and validating.
Whiteboard: (none) => mga6-64-okKeywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0160.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED