Advisories » MGASA-2014-0223

Updated dovecot packages fix security vulnerability

Publication date: 17 May 2014
Modification date: 17 May 2014
Type: security
Affected Mageia releases : 3 , 4
CVE: CVE-2014-3430

Description

Updated dovecot packages fix security vulnerability.

Dovecot before 2.2.13 is vulnerable to a DoS attack against imap/pop3-login
processes. If SSL/TLS handshake was started but wasn't finished, the login
process attempted to eventually forcibly disconnect the client, but failed
to do it correctly. This could have left the connections hanging around for
a long time (CVE-2014-3430).
                

References

• http://permalink.gmane.org/gmane.mail.imap.dovecot/77499
• http://www.dovecot.org/list/dovecot-news/2014-May/000273.html
• http://openwall.com/lists/oss-security/2014/05/09/8
• https://bugs.mageia.org/show_bug.cgi?id=13355
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3430

SRPMS

3/core

• dovecot-2.1.15-2.1.mga3

4/core

• dovecot-2.2.6-2.2.mga4