oss-sec mailing list archives

Re: CVE request: dovecot denial of service

From: Seth Arnold <seth.arnold () canonical com>
Date: Tue, 20 May 2014 12:48:16 -0700

On Tue, May 20, 2014 at 09:32:54PM +0200, Yves-Alexis Perez wrote:

Hi,

we were made aware of a recently fixed DoS vulnerability in Dovecot,
which doesn't seem to have a CVE id assigned:

http://dovecot.org/list/dovecot-news/2014-May/000273.html

states:

* Fixed a DoS attack against imap/pop3-login processes. If SSL/TLS
  handshake was started but wasn't finished, the login process
  attempted to eventually forcibly disconnect the client, but failed
  to do it correctly. This could have left the connections hanging
  arond for a long time. (Affected Dovecot v1.1+)

Could a CVE be assigned for this vulnerability?


CVE-2014-3430 was assigned for this issue:

http://www.openwall.com/lists/oss-security/2014/05/09/8

Thanks

Attachment: signature.asc
Description: Digital signature

Current thread:

CVE request: dovecot denial of service Yves-Alexis Perez (May 20)
- Re: CVE request: dovecot denial of service Seth Arnold (May 20)
- Re: CVE request: dovecot denial of service Marc Deslauriers (May 20)
- Re: CVE request: dovecot denial of service Yves-Alexis Perez (May 20)