Debian Bug report logs -
#783649
dovecot: CVE-2015-3420: SSL/TLS handshake failures leading to a crash of the login process
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Tue, 28 Apr 2015 18:15:01 UTC
Severity: serious
Tags: fixed-upstream, patch, security, upstream
Found in version dovecot/1:2.2.13-11
Fixed in version dovecot/1:2.2.13-12
Done: Jelmer Vernooij <jelmer@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Dovecot Maintainers <jaldhar-dovecot@debian.org>:
Bug#783649; Package src:dovecot.
(Tue, 28 Apr 2015 18:15:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Dovecot Maintainers <jaldhar-dovecot@debian.org>.
(Tue, 28 Apr 2015 18:15:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: dovecot
Version: 1:2.2.13-11
Severity: important
Tags: security upstream patch fixed-upstream
Hi,
the following vulnerability was published for dovecot.
CVE-2015-3420[0]:
SSL/TLS handshake failures leading to a crash of the login process
The segfault is easy reproducible if one takes openssl/1.0.2-1 from
experimental. More information and reproducer steps are in [1,2]
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2015-3420
[1] http://dovecot.org/pipermail/dovecot/2015-April/100618.html
[2] http://dovecot.org/pipermail/dovecot/2015-April/100579.html
[3] http://hg.dovecot.org/dovecot-2.2/rev/86f535375750
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Dovecot Maintainers <jaldhar-dovecot@debian.org>:
Bug#783649; Package src:dovecot.
(Sat, 02 May 2015 18:03:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Dovecot Maintainers <jaldhar-dovecot@debian.org>.
(Sat, 02 May 2015 18:03:04 GMT) (full text, mbox, link).
Message #10 received at 783649@bugs.debian.org (full text, mbox, reply):
Hi
Additional information: This is possibly introduced due to
http://hg.dovecot.org/dovecot-2.2/rev/09d3c9c6f0ad (but not checked
closer yet).
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Dovecot Maintainers <jaldhar-dovecot@debian.org>:
Bug#783649; Package src:dovecot.
(Sun, 03 May 2015 17:15:10 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Dovecot Maintainers <jaldhar-dovecot@debian.org>.
(Sun, 03 May 2015 17:15:10 GMT) (full text, mbox, link).
Message #15 received at 783649@bugs.debian.org (full text, mbox, reply):
Control: severity -1 serious
Hi
Increasing the severity, since the openssl version which makes the
crashes easily reproducible is now in unstable.
Regards,
Salvatore
Severity set to 'serious' from 'important'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 783649-submit@bugs.debian.org.
(Sun, 03 May 2015 17:15:10 GMT) (full text, mbox, link).
Reply sent
to Jelmer Vernooij <jelmer@debian.org>:
You have taken responsibility.
(Mon, 04 May 2015 12:24:20 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Mon, 04 May 2015 12:24:20 GMT) (full text, mbox, link).
Message #22 received at 783649-close@bugs.debian.org (full text, mbox, reply):
Source: dovecot
Source-Version: 1:2.2.13-12
We believe that the bug you reported is fixed in the latest version of
dovecot, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 783649@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jelmer Vernooij <jelmer@debian.org> (supplier of updated dovecot package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 04 May 2015 11:38:30 +0000
Source: dovecot
Binary: dovecot-core dovecot-dev dovecot-imapd dovecot-pop3d dovecot-lmtpd dovecot-managesieved dovecot-pgsql dovecot-mysql dovecot-sqlite dovecot-ldap dovecot-gssapi dovecot-sieve dovecot-solr dovecot-lucene dovecot-dbg
Architecture: source amd64
Version: 1:2.2.13-12
Distribution: unstable
Urgency: high
Maintainer: Dovecot Maintainers <jaldhar-dovecot@debian.org>
Changed-By: Jelmer Vernooij <jelmer@debian.org>
Description:
dovecot-core - secure POP3/IMAP server - core files
dovecot-dbg - secure POP3/IMAP server - debug symbols
dovecot-dev - secure POP3/IMAP server - header files
dovecot-gssapi - secure POP3/IMAP server - GSSAPI support
dovecot-imapd - secure POP3/IMAP server - IMAP daemon
dovecot-ldap - secure POP3/IMAP server - LDAP support
dovecot-lmtpd - secure POP3/IMAP server - LMTP server
dovecot-lucene - secure POP3/IMAP server - Lucene support
dovecot-managesieved - secure POP3/IMAP server - ManageSieve server
dovecot-mysql - secure POP3/IMAP server - MySQL support
dovecot-pgsql - secure POP3/IMAP server - PostgreSQL support
dovecot-pop3d - secure POP3/IMAP server - POP3 daemon
dovecot-sieve - secure POP3/IMAP server - Sieve filters support
dovecot-solr - secure POP3/IMAP server - Solr support
dovecot-sqlite - secure POP3/IMAP server - SQLite support
Closes: 783649
Changes:
dovecot (1:2.2.13-12) unstable; urgency=high
.
* [48f6fe4] Add patch cve-2015-3420.patch: Fix SSL/TLS handshake failures
leading to a crash of the login process with newer versions of OpenSSL.
Closes: #783649 (CVE-2015-3420)
Checksums-Sha1:
60a7084cc20fb8655c93cbd2306444d7bbb09d68 2887 dovecot_2.2.13-12.dsc
8e13a4666ab483c148aa032ea6519dd0b8e9d43c 735008 dovecot_2.2.13-12.debian.tar.xz
7e1a77af6ff26d3e630ad75e53b7fa5d2996299f 2656266 dovecot-core_2.2.13-12_amd64.deb
356417c8b16e995b3e20afbf6c2be56e9e85209e 749754 dovecot-dev_2.2.13-12_amd64.deb
c824e1bd94d62abcbc238e2a05d8686a5653cbee 646626 dovecot-imapd_2.2.13-12_amd64.deb
763d573e2b317c5fa4756afd20eb4e3edc26973b 550032 dovecot-pop3d_2.2.13-12_amd64.deb
4d8e9b9e365dc9cffa4681f2524132c5a9cf1618 541832 dovecot-lmtpd_2.2.13-12_amd64.deb
1565ceb517aa4032775a65c99962ac54c6cd4ced 568754 dovecot-managesieved_2.2.13-12_amd64.deb
6dd57b33783a4fa914e78b29e56e3445bfedd43e 533354 dovecot-pgsql_2.2.13-12_amd64.deb
fb1ddac2d0ad3b169398dc02e000af60d55b5ed1 530994 dovecot-mysql_2.2.13-12_amd64.deb
7833bef8222b3ce20cb307def27327cc1014dd3e 529152 dovecot-sqlite_2.2.13-12_amd64.deb
f505d475a2449169b1468529d1516f7398988301 544372 dovecot-ldap_2.2.13-12_amd64.deb
ddcbf8669847846b346bda7d6e0ab0842c036b65 530390 dovecot-gssapi_2.2.13-12_amd64.deb
3c3ae48cf131c4e2764e5c135636ea7fb2a9b6a1 766374 dovecot-sieve_2.2.13-12_amd64.deb
4a8732b2de5042bfd3fdb0c843aad8a348612537 541262 dovecot-solr_2.2.13-12_amd64.deb
e92842e07000c44e52859d24f6dd877663ee436c 548232 dovecot-lucene_2.2.13-12_amd64.deb
fa28c5eb0d72b6791c73ecc5657bc8c24e00ebcd 6720470 dovecot-dbg_2.2.13-12_amd64.deb
Checksums-Sha256:
b66480acc5724fe4e5598601a7188e711a9502b07e20f562b7c32586ecc36e42 2887 dovecot_2.2.13-12.dsc
26b2fcd9850473dc63c4b9d7909d46bee728eb49cab098435c785aa992e83b47 735008 dovecot_2.2.13-12.debian.tar.xz
057a3567b637e9f6481ea059b3842034915b17787c9741d74223de9e9ca93762 2656266 dovecot-core_2.2.13-12_amd64.deb
f870e920aab7e63e62da3677782c6a68661634468c433c4f9e9ca9e27e382d5c 749754 dovecot-dev_2.2.13-12_amd64.deb
84412ba3b96a6773a0f5576f63d8a62a78767e8d1c34bcb13dd7033442483437 646626 dovecot-imapd_2.2.13-12_amd64.deb
11d0116c26640a4c0b14559d13a370856090d77a28eec61f09c762dfdc850324 550032 dovecot-pop3d_2.2.13-12_amd64.deb
06964afc6636526f24ad99d69c96efec042c04addb2f097837dd67c13b4f0304 541832 dovecot-lmtpd_2.2.13-12_amd64.deb
e5e9e7cdfeee0dfcd3aa6598a4546d038697729097a5a95ef19c561618d37e40 568754 dovecot-managesieved_2.2.13-12_amd64.deb
0efe3c148fae729225cd0c174c016aab0311483a321cadef4901412a6435df71 533354 dovecot-pgsql_2.2.13-12_amd64.deb
877eb11e4f9622859b1bd50698d99e9a02920e7368b0bffe07ff8b5c165abc6a 530994 dovecot-mysql_2.2.13-12_amd64.deb
ac8174e36a8febc04734505c2792dd9d606fd8d7cb96a2758ce002304ba7785d 529152 dovecot-sqlite_2.2.13-12_amd64.deb
2765250d38080527f1e8639a34751531e77726dce8432db56fa7eec31f75757e 544372 dovecot-ldap_2.2.13-12_amd64.deb
1f9c948e66e3adbf944f1a9410841b642c8b207a364edb8f604fd20d68a37894 530390 dovecot-gssapi_2.2.13-12_amd64.deb
50f0f1eb36657fa2216b707b86838bcc1c9a29658c72df6223d3037a93bcf940 766374 dovecot-sieve_2.2.13-12_amd64.deb
d70f0960bc5349436fbbdb7499ca1b436addd068674567417d1c939188843ae2 541262 dovecot-solr_2.2.13-12_amd64.deb
563919c35e42e71df8ee785897009990a136f26a1dc227e34fe2df754ac8f588 548232 dovecot-lucene_2.2.13-12_amd64.deb
7b94a5dd6298d60ea740eabede7cfdb02644512621fc6a2faa7ee598b04caac1 6720470 dovecot-dbg_2.2.13-12_amd64.deb
Files:
9adfb06a2d37bd8658c1a985cb698ddc 2887 mail optional dovecot_2.2.13-12.dsc
59b60be64092587d2d42620e674ca6c8 735008 mail optional dovecot_2.2.13-12.debian.tar.xz
0d63062abba84f481c7b033e0bd828fc 2656266 mail optional dovecot-core_2.2.13-12_amd64.deb
66f7c9d9e3d3721af8391b8581cfe971 749754 mail optional dovecot-dev_2.2.13-12_amd64.deb
2253405ca346b9091d0b4c41ca9166b8 646626 mail optional dovecot-imapd_2.2.13-12_amd64.deb
94f77766e9efb8ee26a5cf1a07d18879 550032 mail optional dovecot-pop3d_2.2.13-12_amd64.deb
8fbdf931a2eca0ad839ec935a8d1dc24 541832 mail optional dovecot-lmtpd_2.2.13-12_amd64.deb
5c2081a84327684af7814c9d11d55a33 568754 mail optional dovecot-managesieved_2.2.13-12_amd64.deb
c8c85ab52f9a9651fe8bb566459bd10e 533354 mail optional dovecot-pgsql_2.2.13-12_amd64.deb
8757c95e3a16fb8129254ce1c153e624 530994 mail optional dovecot-mysql_2.2.13-12_amd64.deb
24065426bf29a6f38118abfb72982a63 529152 mail optional dovecot-sqlite_2.2.13-12_amd64.deb
ec85295700202442db39753c7f4c9985 544372 mail optional dovecot-ldap_2.2.13-12_amd64.deb
6e493e4388e4cd3874115c474ad61f6f 530390 mail optional dovecot-gssapi_2.2.13-12_amd64.deb
53756e513ab9a3aaf74c4425f93c7b74 766374 mail optional dovecot-sieve_2.2.13-12_amd64.deb
81bfbe88279083e7bc923200d895f9b8 541262 mail optional dovecot-solr_2.2.13-12_amd64.deb
fdfb3406abdf21940bff84f64f9834f1 548232 mail optional dovecot-lucene_2.2.13-12_amd64.deb
d4bfdebba4f014928628786641bc539d 6720470 debug extra dovecot-dbg_2.2.13-12_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBCgAGBQJVR1+qAAoJEILR9r9eY9LaVH4H/1dOMyLJjzmb8CUeog2A0/w4
R1u/dyFWN2ETWV26khauuCJELq3EGqxROBS35VIKSMniEIuBqAf3epcTRB7j8t1A
pnfww8nrWVU2gWJgM07jV0ZUU9fjTCg/anKDublCxVQt6ATGoDCk9vYGXfazRRRW
TpZqxXnUwiAMsHKNnp3af4ClRxIyQDRguzKXcqFUPH3kQcf99GYeOTUVH98TkE65
3d35rAyHDQjgO7oUmz1s4TwydhXxcJ8tqwJtEhT9K5Jj2ny1HHFKph6HAePO6/kF
klYk2pap11wuPWVML10TxLwe94NyzVcYcpMXBc/1RIfxztTUIgt/QKZIHOmMsI8=
=qATy
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 04 Oct 2015 07:58:02 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:51:42 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon