Arch Linux ASA-201504-31 Low: Dovecot Denial of Service Threat

Arch Linux Security Advisory ASA-201504-31
=========================================
Severity: Low
Date    : 2015-04-29
CVE-ID  : CVE-2015-3420
Package : dovecot
Type    : denial of service
Remote  : Yes
Link    : https://wiki.archlinux.org/title/CVE

Summary
======
The package dovecot before version 2.2.16-2 is vulnerable to a remote
denial of service.

Resolution
=========
Upgrade to 2.2.16-2.

# pacman -Syu "dovecot>=2.2.16-2"

The problem has been fixed upstream but no new version has been released
yet.

Workaround
=========
None.

Description
==========
Dovecot <= 2.2.14 does not correctly handle SSL/TLS handshake failure in
the login process, asking OpenSSL to flush a connection that has already
been aborted. This results in a crash with some versions of OpenSSL
(most likely >= 1.0.2). A patch to OpenSSL has also been written to
handle more gracefully this situation, see references.

Impact
=====
A remote unauthenticated attacker can cause a denial of service by
constantly connecting to Dovecot then causing a SSL/TLS handshake failure.

References
=========
https://access.redhat.com/security/cve/CVE-2015-3420
https://bugs.archlinux.org/task/44757
https://seclists.org/oss-sec/2015/q2/288
https://dovecot.org/pipermail/dovecot/2015-April/100618.html
;user=guest&pass=guest