CVE-2017-2669

Published: 10 April 2017

Dovecot before version 2.2.29 is vulnerable to a denial of service. When 'dict' passdb and userdb were used for user authentication, the username sent by the IMAP/POP3 client was sent through var_expand() to perform %variable expansion. Sending specially crafted %variable fields could result in excessive memory usage causing the process to crash (and restart), or excessive CPU usage causing all authentications to hang.

Priority

Medium

CVSS 3 base score: 7.5

Status

Package Release Status
dovecot
Launchpad, Ubuntu, Debian 		Upstream Needed

Ubuntu 16.04 LTS (Xenial Xerus) Not vulnerable

Ubuntu 14.04 ESM (Trusty Tahr) Not vulnerable
(1:2.2.9-1ubuntu2.1)
Ubuntu 12.04 ESM (Precise Pangolin) Not vulnerable

Patches:
Upstream: https://github.com/dovecot/core/commit/000030feb7a30f193197f1aab8a7b04a26b42735

Notes

AuthorNote
tyhicks Vulnerable versions: 2.2.26 - 2.2.28

References

Join the discussion

Canonical is offering Extended Security Maintenance

Canonical is offering Ubuntu 14.04 Extended Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM

Further reading