[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] Re: CVE-2017-15132: dovecot: auth client leaks memory if SASL authentication is abort
From: Aki Tuomi <aki.tuomi () open-xchange ! com>
Date: 2018-01-31 6:48:28
Message-ID: 1460642161.10860.1517381308655 () appsuite ! open-xchange ! com
[Download RAW message or body]
> On January 25, 2018 at 11:35 AM Aki Tuomi <aki.tuomi@open-xchange.com> wrote:
>
>
> Score: 5.3, AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
> Affected versions: 2.0 up to 2.2.33 and 2.3.0
> Fixed versions: 2.2.34 (not released yet), 2.3.1 (not released yet)
>
> We have identified a memory leak in Dovecot auth client used by login
> processes. The leak has impact in high performance configuration where
> same login processes are reused and can cause the process to crash due to memory exhaustion.
>
> Patch to apply this issue can be found from \
> https://github.com/dovecot/core/commit/1a29ed2f96da1be22fa5a4d96c7583aa81b8b060.patch
> To our best knowledge, this patch should apply to all versions.
>
> This issue can be mitigated on vulnerably systems by limiting login process to single request \
> per process, which is also the default value.
> Regards,
> Aki Tuomi
> Dovecot oy
Team Debian has found an issue with our patch. Dovecot login process would crash after few \
minutes of idle after consecutive aborted logins.
This is fixed with https://github.com/dovecot/core/commit/a9b135760aea6d1790d447d351c56b78889dac22.patch
We would like to thank Apollon and Salvatore for raising this to our attention.
Aki Tuomi
Dovecot oy
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic