Date: Wed, 31 Jan 2018 08:48:28 +0200 (EET) From: Aki Tuomi <aki.tuomi@...n-xchange.com> To: oss-security@...ts.openwall.com Subject: Re: CVE-2017-15132: dovecot: auth client leaks memory if SASL authentication is aborted. > On January 25, 2018 at 11:35 AM Aki Tuomi <aki.tuomi@...n-xchange.com> wrote: > > > Score: 5.3, AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L > Affected versions: 2.0 up to 2.2.33 and 2.3.0 > Fixed versions: 2.2.34 (not released yet), 2.3.1 (not released yet) > > We have identified a memory leak in Dovecot auth client used by login > processes. The leak has impact in high performance configuration where > same login processes are reused and can cause the process to crash due to memory exhaustion. > > Patch to apply this issue can be found from https://github.com/dovecot/core/commit/1a29ed2f96da1be22fa5a4d96c7583aa81b8b060.patch > > To our best knowledge, this patch should apply to all versions. > > This issue can be mitigated on vulnerably systems by limiting login process to single request per process, which is also the default value. > > Regards, > Aki Tuomi > Dovecot oy Team Debian has found an issue with our patch. Dovecot login process would crash after few minutes of idle after consecutive aborted logins. This is fixed with https://github.com/dovecot/core/commit/a9b135760aea6d1790d447d351c56b78889dac22.patch We would like to thank Apollon and Salvatore for raising this to our attention. Aki Tuomi Dovecot oy
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ