——————————————————————————–
Fedora Update Notification
FEDORA-2018-52d79f4f36
2018-04-01 20:13:09.729581
——————————————————————————–
Name : dovecot
Product : Fedora 27
Version : 2.2.34
Release : 1.fc27
URL : http://www.dovecot.org/
Summary : Secure imap and pop3 server
Description :
Dovecot is an IMAP server for Linux/UNIX-like systems, written with security
primarily in mind. It also contains a small POP3 server. It supports mail
in either of maildir or mbox formats.
The SQL drivers and authentication plug-ins are in their subpackages.
——————————————————————————–
Update Information:
dovecot updated to 2.2.34, pigeonhole updated to 0.4.22 fixes
CVE-2017-15130: TLS SNI config lookups may lead to excessive memory usage,
causing imap-login/pop3-login VSZ limit to be reached and the process
restarted. This happens only if Dovecot config has local_name { } or local
{ } configuration blocks and attacker uses randomly generated SNI
servernames. fixes CVE-2017-14461: Parsing invalid email addresses may cause
a crash or leak memory contents to attacker. For example, these memory
contents might contain parts of an email from another user if the same
imap process is reused for multiple users. fixes CVE-2017-15132:
Aborted SASL authentication leaks memory in login process.
——————————————————————————–
References:
[ 1 ] Bug #1550508 – CVE-2017-14461 dovecot: Information Leak Vulnerability in rfc822_parse_domain leading to denial-of-service [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1550508
[ 2 ] Bug #1538717 – CVE-2017-15132 dovecot: Auth leaks memory if SASL authentication is aborted [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1538717
——————————————————————————–
This update can be installed with the “dnf” update program. Use
su -c ‘dnf upgrade dovecot’ at the command line.
For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
——————————————————————————–
_______________________________________________
package-announce mailing list — package-announce@lists.fedoraproject.org
To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org