Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Fri, 2 Dec 2016 09:02:33 +0200
From: Aki Tuomi <aki.tuomi@...ecot.fi>
To: oss-security@...ts.openwall.com
Subject: Important vulnerability in Dovecot (CVE-2016-8652)

Important vulnerability in Dovecot (CVE-2016-8652)
CVSS score: 7.4 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H)
Affected version(s): 2.2.25.1 up to 2.2.26.1
Fixed in: 2.2.27.1rc1

Short summary: Dovecot auth component can be crashed by remote user when
auth-policy component is activated.

If auth-policy component has been activated in Dovecot, then remote user
can use SASL authentication to crash auth component.

Workaround is to disable auth-policy component until fix is in place.
This can be done by commenting out all auth_policy_* settings.

Aki Tuomi
Dovecot oy

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ