Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2018.0948 dovecot security update 3 April 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: dovecot Publisher: Debian Operating System: Debian GNU/Linux 7 Impact/Access: Access Privileged Data -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2017-15132 CVE-2017-15130 CVE-2017-14461 Reference: ESB-2018.0622 ESB-2018.0328 ESB-2018.0328 Original Bulletin: https://lists.debian.org/debian-lts-announce/2018/03/msg00036.html - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Package : dovecot Version : 1:2.1.7-7+deb7u2 CVE ID : CVE-2017-14461 CVE-2017-15130 CVE-2017-15132 Several vulnerabilities have been discovered in the Dovecot email server. The Common Vulnerabilities and Exposures project identifies the following issues: CVE-2017-14461 Aleksandar Nikolic of Cisco Talos and 'flxflndy' discovered that Dovecot does not properly parse invalid email addresses, which may cause a crash or leak memory contents to an attacker. CVE-2017-15130 It was discovered that TLS SNI config lookups may lead to excessive memory usage, causing imap-login/pop3-login VSZ limit to be reached and the process restarted, resulting in a denial of service. Only Dovecot configurations containing local_name { } or local { } configuration blocks are affected. CVE-2017-15132 It was discovered that Dovecot contains a memory leak flaw in the login process on aborted SASL authentication. For Debian 7 "Wheezy", these problems have been fixed in version 1:2.1.7-7+deb7u2. We recommend that you upgrade your dovecot packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQJ8BAEBCgBmBQJav8+yXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2MjAxRkJGRkRCQkRFMDc4MjJFQUJCOTY5 NkZDQUMwRDM4N0I1ODQ3AAoJEJb8rA04e1hH4lQP/jad7JT6nxQQlIVzD0XwW9TJ 3v3zsJ9HKTBes6Cpk5uKqKOzHVlsLRyOJ22gnoKnasSJzL+xc8AwCXXUB5q15R5W nG+WtFwWVj+y8S17DNtmroVoFApdMGV60hYMc8UnB9g3QRAtLjb4aMCZpgjtzQ7W 1nubR39RjVVColSTnR1Dbtt6OT042stPjafLqtuGc+xP8L1p9cI1ESALrFcsEC2z Rh37s/r8nKlzrX2PohkCqtZdpIkRIvH6cLsvcvxLKuzVZQj498l7SKp7Xgk27CI+ toOfnkq8G/UW+vFDvPZr6XyHVRRmTujIKmE5SK3KA2z6Khpq39QYAXfhyZB8iYPq lh/V5uNs+61Pn/+JUFva2L65AtahEPQ8Nu5oCtIxtYGFScXeBvkm5UbxCEP7kVXi NKNBh1IMCnMNqY8AG6ibMPWCT/0k69/EWdpgwIczorWauR9myUk0eRKUBQdSBUMN 7UHnriRoHCvcBhugg6Z7HvHGSo4CiGhGRhg3kS4UCOwDGVr/dtjeq0BpWIt7ecvP C86mKfb0llgMMmCY6hh1Py5gx9hj6l9MoTw+lgqckv/k81CT9Kg4gx0/P7nR2W+n 6q7RGxVPTnrKsr8U6bTJOdc7eJB2KSaJ6IebR87hHXFw5FIqkTZAp/mKm31gLOrt S2Bd/rK+pxU2PORs1PHH =gF+a - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWsLJ6ox+lLeg9Ub1AQi1bxAAlancxGidO+/C/rOUAQJrzijtBu0zA5+o 8IpFUE3GFiv7rMAFyBpf2y8U55aPsocHdqzGKFeQVXIP5aOhNwhnDKPoRZpeHe+o aj3470SAPnKUQg3SmwgDTvVqjsXctEKB9TyIxeoth4zbiXbPDhDq7zEPE3CT8rqL O8PYJ0VWaHp7Y96Im5DEu5NG1VaWVfQaQytXqdql1fNUw67p586w7NH+pChc0F20 hpx2PyhA9f1P1w4ZDqBrFroH62mUlq1pG5/F6WE2PeFeS7R2Ns6V79nj8g5kN5U5 OUf8Xjim7wIoa4PaDsG9zBebn9xvp7Du9VmETgU+PNASXtJ4rG+BR3PGF3a5uZyv thakgNhO9rbpH+SzhOSuS0B4oVDP/64g7LCr0v0wQa5AHXua/RQ0o9yWHlAot2hL 3a68SGJuzn9wJyUEKUspd+5XZAV1mQwJn6DFLs81h3kqJ+8lG8eVktAtJlmfSI+9 MlXAV6ShbGvwB/cvyMIVhxk7CGC0Hs4+yDFnmtaNvCDziQ679g7in8nrhnVeU8XP TKsy3RRpeFyNfrZMK1KlNAxCR4XuQUOvMJmfNK57ipRPUYZZbPfZpYcEHpRbC5vz XZWjSSSxlzM8BTzGPRt+7phEnlQN1LaSEykQq/VvZQBchfGcZQvgSK1wP+NrcUAI 4xQivLLAEvA= =ZUro -----END PGP SIGNATURE-----