[SECURITY] [DLA 1333-1] dovecot security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 1333-1] dovecot security update
From: Thorsten Alteholz <debian@alteholz.de>
Date: Sat, 31 Mar 2018 20:13:06 +0200 (CEST)
Message-id: <[🔎] alpine.DEB.2.02.1803312011390.14708@jupiter.server.alteholz.net>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : dovecot
Version        : 1:2.1.7-7+deb7u2
CVE ID         : CVE-2017-14461 CVE-2017-15130 CVE-2017-15132


Several vulnerabilities have been discovered in the Dovecot email
server. The Common Vulnerabilities and Exposures project identifies the
following issues:

CVE-2017-14461

    Aleksandar Nikolic of Cisco Talos and 'flxflndy' discovered that
    Dovecot does not properly parse invalid email addresses, which may
    cause a crash or leak memory contents to an attacker.

CVE-2017-15130

    It was discovered that TLS SNI config lookups may lead to excessive
    memory usage, causing imap-login/pop3-login VSZ limit to be reached
    and the process restarted, resulting in a denial of service. Only
    Dovecot configurations containing local_name { } or local { }
    configuration blocks are affected.

CVE-2017-15132

    It was discovered that Dovecot contains a memory leak flaw in the
    login process on aborted SASL authentication.


For Debian 7 "Wheezy", these problems have been fixed in version
1:2.1.7-7+deb7u2.

We recommend that you upgrade your dovecot packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQJ8BAEBCgBmBQJav8+yXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2MjAxRkJGRkRCQkRFMDc4MjJFQUJCOTY5
NkZDQUMwRDM4N0I1ODQ3AAoJEJb8rA04e1hH4lQP/jad7JT6nxQQlIVzD0XwW9TJ
3v3zsJ9HKTBes6Cpk5uKqKOzHVlsLRyOJ22gnoKnasSJzL+xc8AwCXXUB5q15R5W
nG+WtFwWVj+y8S17DNtmroVoFApdMGV60hYMc8UnB9g3QRAtLjb4aMCZpgjtzQ7W
1nubR39RjVVColSTnR1Dbtt6OT042stPjafLqtuGc+xP8L1p9cI1ESALrFcsEC2z
Rh37s/r8nKlzrX2PohkCqtZdpIkRIvH6cLsvcvxLKuzVZQj498l7SKp7Xgk27CI+
toOfnkq8G/UW+vFDvPZr6XyHVRRmTujIKmE5SK3KA2z6Khpq39QYAXfhyZB8iYPq
lh/V5uNs+61Pn/+JUFva2L65AtahEPQ8Nu5oCtIxtYGFScXeBvkm5UbxCEP7kVXi
NKNBh1IMCnMNqY8AG6ibMPWCT/0k69/EWdpgwIczorWauR9myUk0eRKUBQdSBUMN
7UHnriRoHCvcBhugg6Z7HvHGSo4CiGhGRhg3kS4UCOwDGVr/dtjeq0BpWIt7ecvP
C86mKfb0llgMMmCY6hh1Py5gx9hj6l9MoTw+lgqckv/k81CT9Kg4gx0/P7nR2W+n
6q7RGxVPTnrKsr8U6bTJOdc7eJB2KSaJ6IebR87hHXFw5FIqkTZAp/mKm31gLOrt
S2Bd/rK+pxU2PORs1PHH
=gF+a
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 1332-1] libvncserver security update
Next by Date: [SECURITY] [DLA 1334-1] mosquitto security update
Previous by thread: [SECURITY] [DLA 1332-1] libvncserver security update
Next by thread: [SECURITY] [DLA 1334-1] mosquitto security update
Index(es):
- Date
- Thread