oss-sec mailing list archives
CVE request: Dovecot remote DoS on TLS connections
From: Hanno Böck <hanno () hboeck de>
Date: Sun, 26 Apr 2015 20:31:14 +0200
Hi, The current Dovecot (2.2.16) imap/pop3 server has an issue that handshake failures will lead to a crash of the login process. An example where this is triggered is if the server is configured to not allow SSLv3 connections and a client tries to connect with SSLv3 only. The reason is that the error handling routine will try to finish the handshake and that will crash. Details here: http://dovecot.org/pipermail/dovecot/2015-April/100618.html I had created a patch, one of the dovecot devs created a more thorough patch that will probably catch more error states properly: http://dovecot.org/tmp/diff (url likely not stable) Nothing is applied yet I think. I think this deserves a CVE. There is a related issue in openssl: It will crash instead of throwing an error if one tries to use a connection context that already failed. One could argue that this is not an openssl issue, because apps need to properly check errors. Matt Caswell has created a patch to let openssl handle these situations more gracefully: https://rt.openssl.org/Ticket/Display.html?id=3818&user=guest&pass=guest cu, -- Hanno Böck http://hboeck.de/ mail/jabber: hanno () hboeck de GPG: BBB51E42
Attachment:
_bin
Description: OpenPGP digital signature
Current thread:
- CVE request: Dovecot remote DoS on TLS connections Hanno Böck (Apr 26)
- Re: CVE request: Dovecot remote DoS on TLS connections cve-assign (Apr 26)
- Re: Re: CVE request: Dovecot remote DoS on TLS connections Hanno Böck (Apr 28)
- Re: CVE request: Dovecot remote DoS on TLS connections Sven Kieske (May 07)
- Re: CVE request: Dovecot remote DoS on TLS connections Hanno Böck (May 07)
- Re: CVE request: Dovecot remote DoS on TLS connections cve-assign (Apr 26)