Bugzilla – Bug 928886
VUL-1: CVE-2015-3420: dovecot: remote DoS on TLS connections
Last modified: 2020-01-15 16:47:54 UTC
via oss-sec http://seclists.org/oss-sec/2015/q2/288 > The current Dovecot (2.2.16) imap/pop3 server has an issue that > handshake failures will lead to a crash of the login process. > > An example where this is triggered is if the server is configured to > not allow SSLv3 connections and a client tries to connect with SSLv3 > only. > > The reason is that the error handling routine will try to finish the > handshake and that will crash. Details here: > http://dovecot.org/pipermail/dovecot/2015-April/100618.html > > I had created a patch, one of the dovecot devs created a more thorough > patch that will probably catch more error states properly: > http://dovecot.org/tmp/diff > (url likely not stable) > Nothing is applied yet I think. The upstream commit seems to be: # HG changeset patch # User Timo Sirainen <tss@iki.fi> # Date 1430213224 -7200 # Node ID 86f5353757500a8c53aa708282bbdd77ac270011 # Parent a2d342257b25e10e7c6c1aaade9e49d22d849c05 *-login: Don't try to flush SSL output if SSL handshake fails. This fixes a crash on failed handshakes on some OpenSSL builds. http://hg.dovecot.org/dovecot-2.2/rev/86f535375750 References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3420 http://hg.dovecot.org/dovecot-2.2/rev/86f535375750 http://seclists.org/oss-sec/2015/q2/288
bugbot adjusting priority
how to reproduce it: " This can be tested by disabling SSLv3 in the dovecot config (ssl_protocols = !SSLv2 !SSLv3) and trying to connect with openssl and forced sslv3 (openssl s_client -ssl3 -connect localhost:995). This would cause a crash. "
Actual version of 2.2 dovecot-2.2.36 does already contain the fix.