CVE-2017-15132
Publication date 25 January 2018
Last updated 24 July 2024
Ubuntu priority
A flaw was found in dovecot 2.0 up to 2.2.33 and 2.3.0. An abort of SASL authentication results in a memory leak in dovecot's auth client used by login processes. The leak has impact in high performance configuration where same login processes are reused and can cause the process to crash due to memory exhaustion.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| dovecot | ||
| 16.04 LTS xenial |
Fixed 1:2.2.22-1ubuntu2.6
|
|
| 14.04 LTS trusty |
Fixed 1:2.2.9-1ubuntu2.3
|
Notes
leosilva
debian found a regression caused by this commit. In order to fix this both commit/patch should be applied.
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
7.5 · High
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | None |
| Integrity impact | None |
| Availability impact | High |
| Vector | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
References
Related Ubuntu Security Notices (USN)
- USN-3556-2
- Dovecot vulnerabilities
- 1 February 2018
- USN-3556-1
- Dovecot vulnerability
- 1 February 2018
Other references
- https://github.com/dovecot/core/commit/1a29ed2f96da1be22fa5a4d96c7583aa81b8b060.patch
- http://www.openwall.com/lists/oss-security/2018/01/31/1
- https://github.com/dovecot/core/commit/a9b135760aea6d1790d447d351c56b78889dac22.patch
- https://bugzilla.redhat.com/show_bug.cgi?id=1532768
- https://www.cve.org/CVERecord?id=CVE-2017-15132