CVE-2017-15132

Name	CVE-2017-15132
Description	A flaw was found in dovecot 2.0 up to 2.2.33 and 2.3.0. An abort of SASL authentication results in a memory leak in dovecot's auth client used by login processes. The leak has impact in high performance configuration where same login processes are reused and can cause the process to crash due to memory exhaustion.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-1333-1, DSA-4130-1
Debian Bugs	888432

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
dovecot (PTS)	bullseye	1:2.3.13+dfsg1-2+deb11u1	fixed
	bullseye (security)	1:2.3.13+dfsg1-2+deb11u2	fixed
	bookworm, bookworm (security)	1:2.3.19.1+dfsg1-2.1+deb12u1	fixed
	trixie	1:2.4.1+dfsg1-5	fixed
	sid	1:2.4.1+dfsg1-6	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Origin	Debian Bugs
dovecot	source	wheezy	1:2.1.7-7+deb7u2	DLA-1333-1
dovecot	source	jessie	1:2.2.13-12~deb8u4	DSA-4130-1
dovecot	source	stretch	1:2.2.27-3+deb9u2	DSA-4130-1
dovecot	source	(unstable)	1:2.2.34-1		888432

Notes

Fixed by: https://github.com/dovecot/core/commit/1a29ed2f96da1be22fa5a4d96c7583aa81b8b060.patch
Regression fix needed on top: https://github.com/dovecot/core/commit/a9b135760aea6d1790d447d351c56b78889dac22