CVE-2017-15132
First published: Tue Jan 09 2018(Updated: )
A flaw was found in dovecot 2.0 up to 2.2.33 and 2.3.0. A abort of SASL authentication results in a memory leak in Dovecot auth client used by login processes. The leak has impact in high performance configuration where same login processes are reused and can cause the process to crash due to memory exhaustion. Upstream patch: <a href="https://github.com/dovecot/core/commit/1a29ed2f96da1be22fa5a4d96c7583aa81b8b060.patch">https://github.com/dovecot/core/commit/1a29ed2f96da1be22fa5a4d96c7583aa81b8b060.patch</a> <a href="https://github.com/dovecot/core/commit/a9b135760aea6d1790d447d351c56b78889dac22.patch">https://github.com/dovecot/core/commit/a9b135760aea6d1790d447d351c56b78889dac22.patch</a>
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/dovecot | <2.2.34 | 2.2.34 |
| redhat/dovecot | <2.3.1 | 2.3.1 |
| debian/dovecot | 1:2.3.13+dfsg1-2+deb11u1 1:2.3.13+dfsg1-2+deb11u2 1:2.3.19.1+dfsg1-2.1+deb12u1 1:2.3.21.1+dfsg1-1 | |
| Dovecot Dovecot | >=2.0.0<=2.2.33 | |
| Dovecot Dovecot | =2.3.0 | |
| Debian Debian Linux | =7.0 | |
| Debian Debian Linux | =8.0 | |
| Debian Debian Linux | =9.0 | |
| Ubuntu Linux | =12.04 | |
| Ubuntu Linux | =14.04 | |
| Ubuntu Linux | =16.04 | |
| Ubuntu Linux | =17.10 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://security-tracker.debian.org/tracker/CVE-2017-15132
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15132
- http://www.openwall.com/lists/oss-security/2018/01/25/4
- https://github.com/dovecot/core/commit/1a29ed2f96da1be22fa5a4d96c7583aa81b8b060.patch
- https://security-tracker.debian.org/tracker/CVE-2017-15130
- https://security-tracker.debian.org/tracker/CVE-2017-14461
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=888432
- https://bugzilla.redhat.com/show_bug.cgi?id=1532768
- https://lists.debian.org/debian-lts-announce/2018/03/msg00036.html
- https://usn.ubuntu.com/3556-1/
- https://usn.ubuntu.com/3556-2/
- https://www.debian.org/security/2018/dsa-4130
- https://www.dovecot.org/list/dovecot-news/2018-February/000370.html
- https://launchpad.net/bugs/cve/CVE-2017-15132
- https://github.com/dovecot/core/commit/a9b135760aea6d1790d447d351c56b78889dac22.patch
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1538717
- http://seclists.org/oss-sec/2018/q1/119
- https://github.com/dovecot/core/commit/a9b135760aea6d1790d447d351c56b78889dac22
- https://nvd.nist.gov/vuln/detail/CVE-2017-15132
- https://ubuntu.com/security/CVE-2017-15132
Frequently Asked Questions
What is the vulnerability ID for the dovecot memory leak vulnerability?
The vulnerability ID for the dovecot memory leak vulnerability is CVE-2017-15132.
What is the severity of CVE-2017-15132?
The severity of CVE-2017-15132 is high with a severity value of 7.5.
Which versions of dovecot are affected by CVE-2017-15132?
The versions of dovecot affected by CVE-2017-15132 are 2.0 up to 2.2.33 and 2.3.0.
How does the vulnerability CVE-2017-15132 impact high performance configuration?
The CVE-2017-15132 vulnerability can cause a memory leak in dovecot's auth client used by login processes, which can result in a process crash in high performance configurations.
How can I fix the CVE-2017-15132 vulnerability?
To fix the CVE-2017-15132 vulnerability, it is recommended to update to the latest patched version of dovecot.
- collector/debian-bugs
- alias/CVE-2017-15132
- agent/weakness
- agent/type
- collector/launchpad-cve
- source/Launchpad
- agent/remedy
- agent/first-publish-date
- agent/author
- collector/redhat-bugzilla
- source/Red Hat
- agent/software-canonical-lookup
- agent/severity
- collector/security-tracker-debian
- source/Debian
- collector/usn-cve
- source/Ubuntu
- agent/references
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/event
- agent/trending
- agent/source
- agent/tags
- agent/softwarecombine
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-index
- package-manager/redhat
- package-manager/debian
- vendor/dovecot
- canonical/dovecot dovecot
- version/dovecot dovecot/2.0.0
- version/dovecot dovecot/2.2.33
- version/dovecot dovecot/2.3.0
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/7.0
- version/debian debian linux/8.0
- version/debian debian linux/9.0
- vendor/canonical
- canonical/ubuntu linux
- version/ubuntu linux/12.04
- version/ubuntu linux/14.04
- version/ubuntu linux/16.04
- version/ubuntu linux/17.10