oss-sec mailing list archives
Re: CVE request: Dovecot remote DoS on TLS connections
From: Hanno Böck <hanno () hboeck de>
Date: Thu, 7 May 2015 10:39:06 +0200
On Thu, 7 May 2015 10:15:49 +0200 Sven Kieske <s.kieske () mittwald de> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 26/04/15 20:31, Hanno Böck wrote:The current Dovecot (2.2.16) imap/pop3 server has an issue that handshake failures will lead to a crash of the login process.Do you happen to know in which version this vulnerability got introduced?
2.2.14. But things are comlicated: There was some breakage in 2.2.13 regarding TLS so some distros (I know this from Gentoo) backported some TLS related patches to 2.2.13, therefore you could also see it there. Also, you'll probably only see this with SSLv3 disabled. (at least that's the only situation where this particular crash in openssl can be triggered, but there may be other codepaths affected by that problem) -- Hanno Böck http://hboeck.de/ mail/jabber: hanno () hboeck de GPG: BBB51E42
Attachment:
_bin
Description: OpenPGP digital signature
Current thread:
- CVE request: Dovecot remote DoS on TLS connections Hanno Böck (Apr 26)
- Re: CVE request: Dovecot remote DoS on TLS connections cve-assign (Apr 26)
- Re: Re: CVE request: Dovecot remote DoS on TLS connections Hanno Böck (Apr 28)
- Re: CVE request: Dovecot remote DoS on TLS connections Sven Kieske (May 07)
- Re: CVE request: Dovecot remote DoS on TLS connections Hanno Böck (May 07)
- Re: CVE request: Dovecot remote DoS on TLS connections cve-assign (Apr 26)