Bug 22673 - dovecot new security issues CVE-2017-14461 and CVE-2017-15130
Summary: dovecot new security issues CVE-2017-14461 and CVE-2017-15130
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: mga6-64-ok
Keywords: advisory, has_procedure, validated_update
Depends on:
Blocks:
 
Reported: 2018-03-01 06:09 CET by David Walser
Modified: 2018-03-07 21:38 CET (History)
4 users (show)

See Also:
Source RPM: dovecot-2.3.0-5.mga7.src.rpm
CVE:
Status comment: Fixed upstream in 2.2.34 and 2.3.1

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2018-03-01 06:09:49 CET 
Upstream has released versions 2.3.1 and 2.2.34 on February 28:
https://www.dovecot.org/list/dovecot-news/2018-February/000371.html
https://www.dovecot.org/list/dovecot-news/2018-February/000370.html

They fix three security issues, one of which we just fixed in Bug 22468.

Mageia 5 and Mageia 6 are also affected.
David Walser 2018-03-01 06:11:03 CET

Status comment: (none) => Fixed upstream in 2.2.34 and 2.3.1
Summary: dovecot new security issue CVE-2017-14461 and CVE-2017-15130 => dovecot new security issues CVE-2017-14461 and CVE-2017-15130
Whiteboard: (none) => MGA6TOO

Comment 1 David Walser 2018-03-01 14:24:02 CET 
dovecot-2.3.0.1-1.mga7 uploaded for Cauldron by Stig-Ørjan.

Version: Cauldron => 6
CC: (none) => smelror
Whiteboard: MGA6TOO => (none)

Comment 2 David Walser 2018-03-01 14:30:00 CET 
More info on the security issues:
http://openwall.com/lists/oss-security/2018/03/01/2
http://openwall.com/lists/oss-security/2018/03/01/3
Comment 3 Stig-Ørjan Smelror 2018-03-01 15:50:35 CET 
Advisory
========

Dovecot has been updated to version 2.2.34 to fix two security issues.

CVE-2017-14461:
This vulnerability comes in two flavors. A malicious party can send a
specially crafted email to a vulnerable system, causing it to crash
dovecot. In some systems, the mail can be stored into the mail system, 
causing crash every time it is being opened.

CVE-2017-15130:
If dovecot has been configured with local name or local net
configuration blocks, SNI lookups can be used to trash memory with
useless config by using random servernames.

References
==========
http://openwall.com/lists/oss-security/2018/03/01/2
http://openwall.com/lists/oss-security/2018/03/01/3

Files
=====

Updated files in core/updates_testing:

dovecot-2.2.34-1.mga6
dovecot-devel-2.2.34-1.mga6
dovecot-pigeonhole-2.2.34-1.mga6
dovecot-pigeonhole-devel-2.2.34-1.mga6
dovecot-plugins-gssapi-2.2.34-1.mga6
dovecot-plugins-ldap-2.2.34-1.mga6
dovecot-plugins-mysql-2.2.34-1.mga6
dovecot-plugins-pgsql-2.2.34-1.mga6
dovecot-plugins-sqlite-2.2.34-1.mga6

from dovecot-2.2.34-1.mga6.src.rpm
Comment 4 Marja Van Waes 2018-03-01 17:33:02 CET 
@ kekePower

Can this bug be assigned to QA team?

Assignee: bugsquad => smelror
CC: (none) => marja11

Comment 5 Stig-Ørjan Smelror 2018-03-01 17:40:39 CET 
(In reply to Marja van Waes from comment #4)
> @ kekePower
> 
> Can this bug be assigned to QA team?

Yes. Done.

Cheers,
Stig

Assignee: smelror => qa-bugs

Comment 6 claire robinson 2018-03-01 23:19:03 CET 
Advisory uploaded.

Keywords: (none) => advisory

Comment 7 claire robinson 2018-03-01 23:20:45 CET 
Procedure bug 22468 comment 5

Keywords: (none) => has_procedure

Comment 8 PC LX 2018-03-02 21:47:12 CET 
Installed and tested without issues.


Tested using kmail/akonadi/Mageia and k9/android to access GBs of e-mails on a dovecot server.

System: Mageia 6, x86_64, Intel CPU.

$ uname -a
Linux marte 4.14.20-desktop-1.mga6 #1 SMP Sun Feb 18 01:22:02 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | grep dovecot | sort
dovecot-2.2.34-1.mga6
dovecot-pigeonhole-2.2.34-1.mga6
$ telnet localhost 143
Trying 127.0.0.1...
Connected to localhost (127.0.0.1).
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN] Dovecot ready.
^]
Connection closed.
$ su
Password:
# systemctl status dovecot
● dovecot.service - Dovecot IMAP/POP3 email server
   Loaded: loaded (/usr/lib/systemd/system/dovecot.service; disabled; vendor preset: enabled)
   Active: active (running) since Sex 2018-03-02 15:49:57 WET; 4h 52min ago
     Docs: man:dovecot(1)
           http://wiki2.dovecot.org/
  Process: 29779 ExecStop=/usr/bin/doveadm stop (code=exited, status=0/SUCCESS)
  Process: 29784 ExecStart=/usr/sbin/dovecot (code=exited, status=0/SUCCESS)
 Main PID: 29787 (dovecot)
      CPU: 2.715s
   CGroup: /system.slice/dovecot.service
           ├─ 4414 dovecot/imap-login
           ├─ 4494 dovecot/imap
           ├─19749 dovecot/imap-login
           ├─19751 dovecot/ssl-params
           ├─19753 dovecot/imap
           ├─29787 /usr/sbin/dovecot
           ├─29788 dovecot/anvil
           ├─29789 dovecot/log
           └─29792 dovecot/config
<SNIP>
# doveconf protocols listen
protocols = imap
listen = *, ::

CC: (none) => mageia

Comment 9 David Walser 2018-03-03 20:57:24 CET 
Debian has issued an advisory for this on March 2:
https://www.debian.org/security/2018/dsa-4130
Comment 10 claire robinson 2018-03-07 17:50:00 CET 
Adding OK from comprehensive test of PC LX in comment 8 and validating.

Whiteboard: (none) => mga6-64-ok
Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 11 Mageia Robot 2018-03-07 21:38:21 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0160.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.