Dovecot before 2.2.13 is vulnerable to a DoS attack against
imap/pop3-login processes. If SSL/TLS handshake was started but
wasn't finished, the login process attempted to eventually forcibly
disconnect the client, but failed to do it correctly. This could have
left the connections hanging around for a long time (CVE-2014-3430).
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2015:113
http://www.mandriva.com/en/support/security/
_______________________________________________________________________
Package : dovecot
Date : March 29, 2015
Affected: Business Server 2.0
_______________________________________________________________________
Problem Description:
Updated dovecot packages fix security vulnerability.
Dovecot before 2.2.13 is vulnerable to a DoS attack against
imap/pop3-login processes. If SSL/TLS handshake was started but
wasn't finished, the login process attempted to eventually forcibly
disconnect the client, but failed to do it correctly. This could have
left the connections hanging around for a long time (CVE-2014-3430).
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3430
http://advisories.mageia.org/MGASA-2014-0223.html
_______________________________________________________________________
Updated Packages:
Mandriva Business Server 2/X86_64:
1eb6e9066872c78e1755c1971036fc16 mbs2/x86_64/dovecot-2.2.6-3.1.mbs2.x86_64.rpm
656bf9481ba301e634d6a726f794dda5 mbs2/x86_64/dovecot-devel-2.2.6-3.1.mbs2.x86_64.rpm
25eba263e3a69fe651c0ed6337949830 mbs2/x86_64/dovecot-pigeonhole-2.2.6-3.1.mbs2.x86_64.rpm
67c9662509cf9fa64d129d846c06627a mbs2/x86_64/dovecot-pigeonhole-devel-2.2.6-3.1.mbs2.x86_64.rpm
11c9627af2b38d1935527942a3e66870 mbs2/x86_64/dovecot-plugins-gssapi-2.2.6-3.1.mbs2.x86_64.rpm
dfc56f23f07520c804b8af8688abdbbc mbs2/x86_64/dovecot-plugins-ldap-2.2.6-3.1.mbs2.x86_64.rpm
3ce270a44b749aef02b65b717518e93b mbs2/x86_64/dovecot-plugins-mysql-2.2.6-3.1.mbs2.x86_64.rpm
3610ca4c251604b05101401712af1694 mbs2/x86_64/dovecot-plugins-pgsql-2.2.6-3.1.mbs2.x86_64.rpm
9abe3f4567e180fcd9cbeaf0af8ea4e5 mbs2/x86_64/dovecot-plugins-sqlite-2.2.6-3.1.mbs2.x86_64.rpm
7d92ecbc2cb08e9591cd9b1be0326f49 mbs2/SRPMS/dovecot-2.2.6-3.1.mbs2.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/en/support/security/advisories/
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iD8DBQFVF7SMmqjQ0CJFipgRAjUSAKCNzqOuQliJVc1nKiBdZhCBK+iFIQCdFtV9
NspHCwRPAGwc9Te32AbCpxA=
=DyJk
-----END PGP SIGNATURE-----
[ reply ]