Advisories » MGASA-2018-0160

Updated dovecot packages fix security vulnerabilities

Publication date: 07 Mar 2018
Modification date: 07 Mar 2018
Type: security
Affected Mageia releases : 6
CVE: CVE-2017-14461 , CVE-2017-15130

Description

Dovecot has been updated to version 2.2.34 to fix two security issues.

CVE-2017-14461:
This vulnerability comes in two flavors. A malicious party can send a
specially crafted email to a vulnerable system, causing it to crash
dovecot. In some systems, the mail can be stored into the mail system, 
causing crash every time it is being opened.

CVE-2017-15130:
If dovecot has been configured with local name or local net
configuration blocks, SNI lookups can be used to trash memory with
useless config by using random servernames.
                

References

• https://bugs.mageia.org/show_bug.cgi?id=22673
• http://openwall.com/lists/oss-security/2018/03/01/2
• http://openwall.com/lists/oss-security/2018/03/01/3
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14461
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15130

SRPMS

6/core

• dovecot-2.2.34-1.mga6