CVE-2017-15132

Name	CVE-2017-15132
Description	A flaw was found in dovecot 2.0 up to 2.2.33 and 2.3.0. An abort of SASL authentication results in a memory leak in dovecot's auth client used by login processes. The leak has impact in high performance configuration where same login processes are reused and can cause the process to crash due to memory exhaustion.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
References	DLA-1333-1, DSA-4130-1
NVD severity	medium (attack range: remote)
Debian Bugs	888432

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
dovecot (PTS)	jessie (security), jessie	1:2.2.13-12~deb8u4	fixed
	stretch (security), stretch	1:2.2.27-3+deb9u2	fixed
	buster, sid	1:2.3.4-2	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
dovecot	source	(unstable)	1:2.2.34-1	medium		888432
dovecot	source	jessie	1:2.2.13-12~deb8u4	medium	DSA-4130-1
dovecot	source	stretch	1:2.2.27-3+deb9u2	medium	DSA-4130-1
dovecot	source	wheezy	1:2.1.7-7+deb7u2	medium	DLA-1333-1

Notes

Fixed by: https://github.com/dovecot/core/commit/1a29ed2f96da1be22fa5a4d96c7583aa81b8b060.patch
Regression fix needed on top: https://github.com/dovecot/core/commit/a9b135760aea6d1790d447d351c56b78889dac22