Debian DSA-4130-1 : dovecot - security update

high Nessus Plugin ID 107122

Synopsis

The remote Debian host is missing a security-related update.

Description

Several vulnerabilities have been discovered in the Dovecot email server. The Common Vulnerabilities and Exposures project identifies the following issues :

- CVE-2017-14461 Aleksandar Nikolic of Cisco Talos and 'flxflndy' discovered that Dovecot does not properly parse invalid email addresses, which may cause a crash or leak memory contents to an attacker.

- CVE-2017-15130 It was discovered that TLS SNI config lookups may lead to excessive memory usage, causing imap-login/pop3-login VSZ limit to be reached and the process restarted, resulting in a denial of service. Only Dovecot configurations containing local_name { } or local { } configuration blocks are affected.

- CVE-2017-15132 It was discovered that Dovecot contains a memory leak flaw in the login process on aborted SASL authentication.

Solution

Upgrade the dovecot packages.

For the oldstable distribution (jessie), these problems have been fixed in version 1:2.2.13-12~deb8u4.

For the stable distribution (stretch), these problems have been fixed in version 1:2.2.27-3+deb9u2.

See Also

https://security-tracker.debian.org/tracker/source-package/dovecot

https://packages.debian.org/source/jessie/dovecot

https://packages.debian.org/source/stretch/dovecot

https://www.debian.org/security/2018/dsa-4130

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=888432

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=891819

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=891820

https://security-tracker.debian.org/tracker/CVE-2017-14461

https://security-tracker.debian.org/tracker/CVE-2017-15130

https://security-tracker.debian.org/tracker/CVE-2017-15132

Plugin Details

Severity: High

ID: 107122

File Name: debian_DSA-4130.nasl

Version: 3.4

Type: local

Agent: unix

Published: 3/5/2018

Updated: 11/13/2018

Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 4.2

CVSS v2

Risk Factor: Medium

Base Score: 5.5

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:N/A:P

CVSS v3

Risk Factor: High

Base Score: 7.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:dovecot, cpe:/o:debian:debian_linux:8.0, cpe:/o:debian:debian_linux:9.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Patch Publication Date: 3/2/2018

Reference Information

CVE: CVE-2017-14461, CVE-2017-15130, CVE-2017-15132

DSA: 4130