Bugzilla – Bug 1032248
VUL-0: CVE-2017-2669: dovecot: DoS when passdb dict was used for authentication
Last modified: 2017-07-06 22:39:05 UTC
CVSS: 6.5 (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H) Vulnerable versions: 2.2.26 - 2.2.28 Fixed version(s): 2.2.29 Broken by a3783f8a3c9cd816b51e77a922f82301512fcf22 Fixed by 000030feb7a30f193197f1aab8a7b04a26b42735 is public Dovecot supports "dict" passdb and userdb: https://wiki2.dovecot.org/AuthDatabase/Dict When these were used for user authentication, the username sent by the IMAP/POP3 client was sent through var_expand() to perform %variable expansion. Sending specially crafted %variable fields could result in excessive memory usage causing the process to crash (and restart), or excessive CPU usage causing all authentications to hang. Excessive memory usage could be done with e.g. %09999999999u as the username. Because by default Dovecot limits the auth process's VSZ and exits on any memory allocation failure, the auth process typically dies afterwards and is immediately restarted. This may result in some user authentications getting temporary internal failures. Excessive CPU usage could be done with %{pkcs5;rounds=3D100000000:user} variable introduced in v2.2.27. Please use this https://github.com/dovecot/core/commit/000030feb7a30f193197f1aab8a7b04a26= b42735.patch to fix this issue, it should be applicable to older versions too. Please let us know if you need assistance in patching. --- Aki Tuomi Dovecot oy
we can try to take the minor version update without more paperwork. Lets see if that works.
dovecot: created request id 131687 This brings 2 major fixes: 1. reload support 2. move ssl certs out of /etc/ssl/certs (old bugfix missing in sle) dovecot22: created request id 131688 This brings all the security and other fixes done since 2.2.13
SUSE-SU-2017:1250-1: An update that solves one vulnerability and has two fixes is now available. Category: security (moderate) Bug References: 1032248,854512,932386 CVE References: CVE-2017-2669 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP2 (src): dovecot22-2.2.29.1-11.1 SUSE Linux Enterprise Software Development Kit 12-SP1 (src): dovecot22-2.2.29.1-11.1 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src): dovecot-2.2-3.1, dovecot22-2.2.29.1-11.1 SUSE Linux Enterprise Server 12-SP2 (src): dovecot-2.2-3.1, dovecot22-2.2.29.1-11.1 SUSE Linux Enterprise Server 12-SP1 (src): dovecot-2.2-3.1, dovecot22-2.2.29.1-11.1
Peter, ping for openSUSE!
This is an autogenerated message for OBS integration: This bug (1032248) was mentioned in https://build.opensuse.org/request/show/505994 42.2 / dovecot22.4673
This is an autogenerated message for OBS integration: This bug (1032248) was mentioned in https://build.opensuse.org/request/show/506002 42.2 / dovecot22
Release for 42.2, done
openSUSE-SU-2017:1807-1: An update that solves one vulnerability and has two fixes is now available. Category: security (moderate) Bug References: 1032248,854512,932386 CVE References: CVE-2017-2669 Sources used: openSUSE Leap 42.2 (src): dovecot22-2.2.30.2-5.4.1