Arch Linux alert ASA-201504-31 (dovecot)

From:
    	     
 
Remi Gacogne <rgacogne@archlinux.org> 
To:
    	     
 
Discussion about security issues in Arch Linux and its packages <arch-security@archlinux.org> 
Subject:
    	     
 
[arch-security] [ASA-201504-31] dovecot: denial of service 
Date:
    	     
 
Wed, 29 Apr 2015 10:41:29 +0200
Message-ID:
    	     
 
<55409939.3070903@archlinux.org>
Arch Linux Security Advisory ASA-201504-31
==========================================

Severity: Low
Date    : 2015-04-29
CVE-ID  : CVE-2015-3420
Package : dovecot
Type    : denial of service
Remote  : Yes
Link    : https://wiki.archlinux.org/index.php/CVE

Summary
=======

The package dovecot before version 2.2.16-2 is vulnerable to a remote
denial of service.

Resolution
==========

Upgrade to 2.2.16-2.

# pacman -Syu "dovecot>=2.2.16-2"

The problem has been fixed upstream but no new version has been released
yet.

Workaround
==========

None.

Description
===========

Dovecot <= 2.2.14 does not correctly handle SSL/TLS handshake failure in
the login process, asking OpenSSL to flush a connection that has already
been aborted. This results in a crash with some versions of OpenSSL
(most likely >= 1.0.2). A patch to OpenSSL has also been written to
handle more gracefully this situation, see references.

Impact
======

A remote unauthenticated attacker can cause a denial of service by
constantly connecting to Dovecot then causing a SSL/TLS handshake failure.

References
==========

https://access.redhat.com/security/cve/CVE-2015-3420
https://bugs.archlinux.org/task/44757
http://seclists.org/oss-sec/2015/q2/288
http://dovecot.org/pipermail/dovecot/2015-April/100618.html
https://rt.openssl.org/Ticket/Display.html?id=3818&us...