Date: Tue, 20 May 2014 21:48:17 +0200 From: Yves-Alexis Perez <corsac@...ian.org> To: oss-security@...ts.openwall.com Subject: Re: CVE request: dovecot denial of service On mar., 2014-05-20 at 21:32 +0200, Yves-Alexis Perez wrote: > Hi, > > we were made aware of a recently fixed DoS vulnerability in Dovecot, > which doesn't seem to have a CVE id assigned: > > http://dovecot.org/list/dovecot-news/2014-May/000273.html > > states: > > * Fixed a DoS attack against imap/pop3-login processes. If SSL/TLS > handshake was started but wasn't finished, the login process > attempted to eventually forcibly disconnect the client, but failed > to do it correctly. This could have left the connections hanging > arond for a long time. (Affected Dovecot v1.1+) > > Could a CVE be assigned for this vulnerability? > It looks like this is the CVE-2014-3430 assigned in <201405092055.s49KtC6i025402@...us.mitre.org> not long ago. -- Yves-Alexis Download attachment "signature.asc" of type "application/pgp-signature" (491 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.