CVE-2017-15130

NameCVE-2017-15130
DescriptionA denial of service flaw was found in dovecot before 2.2.34. An attacker able to generate random SNI server names could exploit TLS SNI configuration lookups, leading to excessive memory usage and the process to restart.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-1333-1, DSA-4130-1
Debian Bugs891820

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
dovecot (PTS)jessie, jessie (lts)1:2.2.13-12~deb8u9fixed
stretch (security)1:2.2.27-3+deb9u7fixed
stretch (lts), stretch1:2.2.27-3+deb9u8fixed
buster, buster (lts)1:2.3.4.1-5+deb10u8fixed
buster (security)1:2.3.4.1-5+deb10u7fixed
bullseye1:2.3.13+dfsg1-2+deb11u1fixed
bullseye (security)1:2.3.13+dfsg1-2+deb11u2fixed
bookworm (security), bookworm1:2.3.19.1+dfsg1-2.1+deb12u1fixed
sid, trixie1:2.3.21.1+dfsg1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
dovecotsourcewheezy1:2.1.7-7+deb7u2DLA-1333-1
dovecotsourcejessie1:2.2.13-12~deb8u4DSA-4130-1
dovecotsourcestretch1:2.2.27-3+deb9u2DSA-4130-1
dovecotsource(unstable)1:2.2.34-1891820

Notes

https://www.dovecot.org/list/dovecot-news/2018-February/000370.html
https://github.com/dovecot/core/commit/22311315b9f780211329c1522eb5aaa4faaa9391
https://github.com/dovecot/core/commit/f3504763c27c2661716c0d1dbd3e0fc662107a21
https://github.com/dovecot/core/commit/02da33a59fddd51cc3b8d95989de95574b7332f1
https://github.com/dovecot/core/commit/390592e6af07e02064ebdbb1bbcf06528887370f
https://github.com/dovecot/core/commit/bc27538d084e01a7a1aca3330e27aebfc0e311eb
https://github.com/dovecot/core/commit/00016646cc32a3fa1cf54c22ed7388ed06bbc0f1

Search for package or bug name: Reporting problems