Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 31 Jan 2018 08:48:28 +0200 (EET)
From: Aki Tuomi <aki.tuomi@...n-xchange.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE-2017-15132: dovecot: auth client leaks memory if SASL
 authentication is aborted.


> On January 25, 2018 at 11:35 AM Aki Tuomi <aki.tuomi@...n-xchange.com> wrote:
> 
> 
> Score: 5.3, AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
> Affected versions: 2.0 up to 2.2.33 and 2.3.0
> Fixed versions: 2.2.34 (not released yet), 2.3.1 (not released yet)
> 
> We have identified a memory leak in Dovecot auth client used by login
> processes. The leak has impact in high performance configuration where
> same login processes are reused and can cause the process to crash due to memory exhaustion.
> 
> Patch to apply this issue can be found from https://github.com/dovecot/core/commit/1a29ed2f96da1be22fa5a4d96c7583aa81b8b060.patch
> 
> To our best knowledge, this patch should apply to all versions.
> 
> This issue can be mitigated on vulnerably systems by limiting login process to single request per process, which is also the default value.
> 
> Regards,
> Aki Tuomi
> Dovecot oy

Team Debian has found an issue with our patch. Dovecot login process would crash after few minutes of idle after consecutive aborted logins.

This is fixed with https://github.com/dovecot/core/commit/a9b135760aea6d1790d447d351c56b78889dac22.patch

We would like to thank Apollon and Salvatore for raising this to our attention. 

Aki Tuomi
Dovecot oy

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ