Описание
Security update for dovecot22
This update for dovecot22 to version 2.2.29.1 fixes the following issues:
This security issue was fixed:
- CVE-2017-2669: Don't double-expand %variables in keys. If dict was used as the authentication passdb, using specially crafted %variables in the username could be used to cause DoS (bsc#1032248)
Additionally stronger SSL default ciphers are now used.
This non-security issue was fixed:
- Remove all references /etc/ssl/certs/. It should not be used anymore (bsc#932386)
More changes are available in the changelog. Please make sure you read README.SUSE after installing this update.
Список пакетов
SUSE Linux Enterprise Server 12 SP1
SUSE Linux Enterprise Server 12 SP2
SUSE Linux Enterprise Server for Raspberry Pi 12 SP2
SUSE Linux Enterprise Server for SAP Applications 12 SP1
SUSE Linux Enterprise Server for SAP Applications 12 SP2
SUSE Linux Enterprise Software Development Kit 12 SP1
SUSE Linux Enterprise Software Development Kit 12 SP2
Ссылки
- Link for SUSE-SU-2017:1250-1
- E-Mail link for SUSE-SU-2017:1250-1
- SUSE Security Ratings
- SUSE Bug 1032248
- SUSE Bug 854512
- SUSE Bug 932386
- SUSE CVE CVE-2017-2669 page
Описание
Dovecot before version 2.2.29 is vulnerable to a denial of service. When 'dict' passdb and userdb were used for user authentication, the username sent by the IMAP/POP3 client was sent through var_expand() to perform %variable expansion. Sending specially crafted %variable fields could result in excessive memory usage causing the process to crash (and restart), or excessive CPU usage causing all authentications to hang.
Затронутые продукты
Ссылки
- CVE-2017-2669
- SUSE Bug 1032248