Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 7 May 2015 10:39:06 +0200
From: Hanno Böck <hanno@...eck.de>
To: oss-security@...ts.openwall.com
Subject: Re: CVE request: Dovecot remote DoS on TLS
 connections

On Thu, 7 May 2015 10:15:49 +0200
Sven Kieske <s.kieske@...twald.de> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On 26/04/15 20:31, Hanno Böck wrote:
> > The current Dovecot (2.2.16) imap/pop3 server has an issue that 
> > handshake failures will lead to a crash of the login process.
> 
> Do you happen to know in which version this vulnerability got
> introduced?

2.2.14.
But things are comlicated: There was some breakage in 2.2.13 regarding
TLS so some distros (I know this from Gentoo) backported some TLS
related patches to 2.2.13, therefore you could also see it there.

Also, you'll probably only see this with SSLv3 disabled. (at least
that's the only situation where this particular crash in openssl can be
triggered, but there may be other codepaths affected by that problem)

-- 
Hanno Böck
http://hboeck.de/

mail/jabber: hanno@...eck.de
GPG: BBB51E42

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ