CVE-2017-15130

NameCVE-2017-15130
DescriptionA denial of service flaw was found in dovecot before 2.2.34. An attacker able to generate random SNI server names could exploit TLS SNI configuration lookups, leading to excessive memory usage and the process to restart.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-1333-1, DSA-4130-1
NVD severitymedium (attack range: remote)
Debian Bugs891820

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
dovecot (PTS)jessie (security), jessie1:2.2.13-12~deb8u4fixed
stretch (security), stretch1:2.2.27-3+deb9u2fixed
buster, sid1:2.3.2.1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
dovecotsource(unstable)1:2.2.34-1medium891820
dovecotsourcejessie1:2.2.13-12~deb8u4mediumDSA-4130-1
dovecotsourcestretch1:2.2.27-3+deb9u2mediumDSA-4130-1
dovecotsourcewheezy1:2.1.7-7+deb7u2mediumDLA-1333-1

Notes

https://www.dovecot.org/list/dovecot-news/2018-February/000370.html
https://github.com/dovecot/core/commit/22311315b9f780211329c1522eb5aaa4faaa9391
https://github.com/dovecot/core/commit/f3504763c27c2661716c0d1dbd3e0fc662107a21
https://github.com/dovecot/core/commit/02da33a59fddd51cc3b8d95989de95574b7332f1
https://github.com/dovecot/core/commit/390592e6af07e02064ebdbb1bbcf06528887370f
https://github.com/dovecot/core/commit/bc27538d084e01a7a1aca3330e27aebfc0e311eb
https://github.com/dovecot/core/commit/00016646cc32a3fa1cf54c22ed7388ed06bbc0f1

Search for package or bug name: Reporting problems