Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sun, 26 Apr 2015 20:31:14 +0200
From: Hanno Böck <>
Subject: CVE request: Dovecot remote DoS on TLS connections


The current Dovecot (2.2.16) imap/pop3 server has an issue that
handshake failures will lead to a crash of the login process.

An example where this is triggered is if the server is configured to
not allow SSLv3 connections and a client tries to connect with SSLv3

The reason is that the error handling routine will try to finish the
handshake and that will crash. Details here:

I had created a patch, one of the dovecot devs created a more thorough
patch that will probably catch more error states properly:
(url likely not stable)
Nothing is applied yet I think.

I think this deserves a CVE.

There is a related issue in openssl: It will crash instead of throwing
an error if one tries to use a connection context that already failed.
One could argue that this is not an openssl issue, because apps need to
properly check errors. Matt Caswell has created a patch to let openssl
handle these situations more gracefully:

Hanno Böck


Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ