Date: Sun, 26 Apr 2015 20:31:14 +0200 From: Hanno Böck <hanno@...eck.de> To: oss-security@...ts.openwall.com, cve-assign@...re.org Subject: CVE request: Dovecot remote DoS on TLS connections Hi, The current Dovecot (2.2.16) imap/pop3 server has an issue that handshake failures will lead to a crash of the login process. An example where this is triggered is if the server is configured to not allow SSLv3 connections and a client tries to connect with SSLv3 only. The reason is that the error handling routine will try to finish the handshake and that will crash. Details here: http://dovecot.org/pipermail/dovecot/2015-April/100618.html I had created a patch, one of the dovecot devs created a more thorough patch that will probably catch more error states properly: http://dovecot.org/tmp/diff (url likely not stable) Nothing is applied yet I think. I think this deserves a CVE. There is a related issue in openssl: It will crash instead of throwing an error if one tries to use a connection context that already failed. One could argue that this is not an openssl issue, because apps need to properly check errors. Matt Caswell has created a patch to let openssl handle these situations more gracefully: https://rt.openssl.org/Ticket/Display.html?id=3818&user=guest&pass=guest cu, -- Hanno Böck http://hboeck.de/ mail/jabber: hanno@...eck.de GPG: BBB51E42 [ CONTENT OF TYPE application/pgp-signature SKIPPED ]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ