CVE-2015-3420
First published: Tue Apr 28 2015(Updated: )
A flaw was found in the way Dovecot handled SSL handshake failures. A remote attacker could use this flaw to crash the imap-login and pop3-login processes. Note that only Dovecot installations accepting SSL/TLS connections that have SSLv3 disabled are vulnerable. Additional details: <a href="http://dovecot.org/pipermail/dovecot/2015-April/100618.html">http://dovecot.org/pipermail/dovecot/2015-April/100618.html</a> <a href="http://seclists.org/oss-sec/2015/q2/288">http://seclists.org/oss-sec/2015/q2/288</a> Upstream patch: <a href="http://hg.dovecot.org/dovecot-2.2/rev/86f535375750">http://hg.dovecot.org/dovecot-2.2/rev/86f535375750</a>
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/dovecot | <2.2.17 | 2.2.17 |
| Dovecot | <=2.2.16 | |
| Fedora | =20 | |
| Fedora | =21 | |
| Fedora | =22 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://dovecot.org/pipermail/dovecot/2015-April/100618.html
- http://seclists.org/oss-sec/2015/q2/288
- http://hg.dovecot.org/dovecot-2.2/rev/86f535375750
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1216059
- http://hg.dovecot.org/dovecot-2.2/diff/09d3c9c6f0ad/src/login-common/ssl-proxy-openssl.c
- https://bugzilla.redhat.com/show_bug.cgi?id=1216057
- http://lists.fedoraproject.org/pipermail/package-announce/2015-May/157030.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-May/158236.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-May/158261.html
- http://www.openwall.com/lists/oss-security/2015/04/27/1
- http://www.openwall.com/lists/oss-security/2015/04/28/4
- http://www.securityfocus.com/bid/74335
- https://dovecot.org/pipermail/dovecot-news/2015-May/000292.html
- https://dovecot.org/pipermail/dovecot/2015-April/100618.html
Frequently Asked Questions
What is the severity of CVE-2015-3420?
CVE-2015-3420 is considered a medium severity vulnerability due to potential disruptions in Dovecot services.
How do I fix CVE-2015-3420?
To fix CVE-2015-3420, upgrade Dovecot to version 2.2.17 or later.
What systems are affected by CVE-2015-3420?
CVE-2015-3420 affects Dovecot installations that accept SSL/TLS connections and have SSLv3 disabled.
Can CVE-2015-3420 lead to a denial of service?
Yes, CVE-2015-3420 can lead to a denial of service by crashing the imap-login and pop3-login processes.
Is my version of Dovecot vulnerable to CVE-2015-3420?
If your Dovecot version is 2.2.16 or older, you are vulnerable to CVE-2015-3420.
- agent/references
- agent/type
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2015-3420
- agent/software-canonical-lookup
- agent/severity
- agent/last-modified-date
- agent/weakness
- agent/author
- agent/description
- agent/event
- agent/trending
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- package-manager/redhat
- vendor/dovecot
- canonical/dovecot
- version/dovecot/2.2.16
- vendor/fedoraproject
- canonical/fedora
- version/fedora/20
- version/fedora/21
- version/fedora/22