oss-sec mailing list archives

Dovecot Security Advisory: CVE-2017-15130 TLS SNI config lookups are inefficient and can be used for DoS

From: Aki Tuomi <aki.tuomi () open-xchange com>
Date: Thu, 1 Mar 2018 08:52:26 +0200 (EET)

Vulnerable versions: 2.2.0 - 2.2.33, 2.3.0
Fixed versions: 2.2.34, 2.3.0.1
Score: 3.7, AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

If dovecot has been configured with local name or local net
configuration blocks, SNI lookups can be used to trash memory with
useless config by using random servernames.

Current thread:

Dovecot Security Advisory: CVE-2017-15130 TLS SNI config lookups are inefficient and can be used for DoS Aki Tuomi (Mar 01)