Date: Thu, 7 May 2015 10:39:06 +0200 From: Hanno Böck <hanno@...eck.de> To: oss-security@...ts.openwall.com Subject: Re: CVE request: Dovecot remote DoS on TLS connections On Thu, 7 May 2015 10:15:49 +0200 Sven Kieske <s.kieske@...twald.de> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 26/04/15 20:31, Hanno Böck wrote: > > The current Dovecot (2.2.16) imap/pop3 server has an issue that > > handshake failures will lead to a crash of the login process. > > Do you happen to know in which version this vulnerability got > introduced? 2.2.14. But things are comlicated: There was some breakage in 2.2.13 regarding TLS so some distros (I know this from Gentoo) backported some TLS related patches to 2.2.13, therefore you could also see it there. Also, you'll probably only see this with SSLv3 disabled. (at least that's the only situation where this particular crash in openssl can be triggered, but there may be other codepaths affected by that problem) -- Hanno Böck http://hboeck.de/ mail/jabber: hanno@...eck.de GPG: BBB51E42 [ CONTENT OF TYPE application/pgp-signature SKIPPED ]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ