SUSE-SU-2017:1250-1

HIGH7.5

Security update for dovecot22

Published May 11, 2017

Modified 9 years ago

Fix available

Details

Description of the patch:

This update for dovecot22 to version 2.2.29.1 fixes the following issues:

This security issue was fixed:

CVE-2017-2669: Don't double-expand %variables in keys. If dict was used as the authentication passdb, using specially crafted %variables in the username could be used to cause DoS (bsc#1032248)

Additionally stronger SSL default ciphers are now used.

This non-security issue was fixed:

Remove all references /etc/ssl/certs/. It should not be used anymore (bsc#932386)

More changes are available in the changelog. Please make sure you read README.SUSE after installing this update.

Affected Packages

dovecot

SUSE Linux Enterprise Server 12 SP1SUSE Linux Enterprise Server 12 SP2SUSE Linux Enterprise Server for Raspberry Pi 12 SP2SUSE Linux Enterprise Server for SAP Applications 12 SP1SUSE Linux Enterprise Server for SAP Applications 12 SP2

Fixed in:

2.2-3.1

dovecot22

SUSE Linux Enterprise Server 12 SP1SUSE Linux Enterprise Server 12 SP2SUSE Linux Enterprise Server for Raspberry Pi 12 SP2SUSE Linux Enterprise Server for SAP Applications 12 SP1SUSE Linux Enterprise Server for SAP Applications 12 SP2

Fixed in:

2.2.29.1-11.1

dovecot22-backend-mysql

SUSE Linux Enterprise Server 12 SP1SUSE Linux Enterprise Server 12 SP2SUSE Linux Enterprise Server for Raspberry Pi 12 SP2SUSE Linux Enterprise Server for SAP Applications 12 SP1SUSE Linux Enterprise Server for SAP Applications 12 SP2

Fixed in:

2.2.29.1-11.1

dovecot22-backend-pgsql

SUSE Linux Enterprise Server 12 SP1SUSE Linux Enterprise Server 12 SP2SUSE Linux Enterprise Server for Raspberry Pi 12 SP2SUSE Linux Enterprise Server for SAP Applications 12 SP1SUSE Linux Enterprise Server for SAP Applications 12 SP2

Fixed in:

2.2.29.1-11.1

dovecot22-backend-sqlite

SUSE Linux Enterprise Server 12 SP1SUSE Linux Enterprise Server 12 SP2SUSE Linux Enterprise Server for Raspberry Pi 12 SP2SUSE Linux Enterprise Server for SAP Applications 12 SP1SUSE Linux Enterprise Server for SAP Applications 12 SP2

Fixed in:

2.2.29.1-11.1

dovecot22-devel

SUSE Linux Enterprise Software Development Kit 12 SP1SUSE Linux Enterprise Software Development Kit 12 SP2

Fixed in:

2.2.29.1-11.1

References

https://bugzilla.suse.com/1032248

https://bugzilla.suse.com/854512

https://bugzilla.suse.com/932386

https://lists.suse.com/pipermail/sle-security-updates/2017-May/002859.html

https://www.suse.com/security/cve/CVE-2017-2669/

https://www.suse.com/support/security/rating/

https://www.suse.com/support/update/announcement/2017/suse-su-20171250-1/

CVSS Analysis

CVSS v3.0

7.5

Exploitability

Attack Vector

NetworkAV:N

Attack Complexity

LowAC:L

Privileges Required

NonePR:N

User Interaction

NoneUI:N

Scope

Scope

UnchangedS:U

Impact

Confidentiality

NoneC:N

Integrity

NoneI:N

Availability

HighA:H

7.5/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Upstream

Ecosystems(7)

SUSE Linux Enterprise Server 12 SP1 SUSE Linux Enterprise Server 12 SP2 SUSE Linux Enterprise Server for Raspberry Pi 12 SP2 SUSE Linux Enterprise Server for SAP Applications 12 SP1 SUSE Linux Enterprise Server for SAP Applications 12 SP2

Timeline

PublishedMay 11, 2017

ModifiedMay 11, 2017

SUSE-SU-2017:1250-1 | Mondoo Vulnerability Intelligence