Bug ID | 1013293 |
---|---|
Summary | VUL-1: CVE-2016-8652: dovecot: auth component crash when auth-policy component is activated |
Classification | openSUSE |
Product | openSUSE Distribution |
Version | Leap 42.2 |
Hardware | Other |
OS | Other |
Status | NEW |
Severity | Normal |
Priority | P5 - None |
Component | Security |
Assignee | security-team@suse.de |
Reporter | mikhail.kasimov@gmail.com |
QA Contact | qa-bugs@suse.de |
Found By | --- |
Blocker | --- |
Reference: http://seclists.org/oss-sec/2016/q4/564 ========================================================================== Important vulnerability in Dovecot (CVE-2016-8652) CVSS score: 7.4 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H) Affected version(s): 2.2.25.1 up to 2.2.26.1 Fixed in: 2.2.27.1rc1 Short summary: Dovecot auth component can be crashed by remote user when auth-policy component is activated. If auth-policy component has been activated in Dovecot, then remote user can use SASL authentication to crash auth component. Workaround is to disable auth-policy component until fix is in place. This can be done by commenting out all auth_policy_* settings. Aki Tuomi Dovecot oy ==========================================================================