Security update for dovecot22 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2017:1250-1 Final 1 1 2017-05-11T14:23:26Z current 2017-05-11T14:23:26Z 2017-05-11T14:23:26Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for dovecot22 This update for dovecot22 to version 2.2.29.1 fixes the following issues: This security issue was fixed: - CVE-2017-2669: Don't double-expand %variables in keys. If dict was used as the authentication passdb, using specially crafted %variables in the username could be used to cause DoS (bsc#1032248) Additionally stronger SSL default ciphers are now used. This non-security issue was fixed: - Remove all references /etc/ssl/certs/. It should not be used anymore (bsc#932386) More changes are available in the changelog. Please make sure you read README.SUSE after installing this update. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-SLE-RPI-12-SP2-2017-747,SUSE-SLE-SDK-12-SP1-2017-747,SUSE-SLE-SDK-12-SP2-2017-747,SUSE-SLE-SERVER-12-SP1-2017-747,SUSE-SLE-SERVER-12-SP2-2017-747 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2017/suse-su-20171250-1/ Link for SUSE-SU-2017:1250-1 https://lists.suse.com/pipermail/sle-security-updates/2017-May/002859.html E-Mail link for SUSE-SU-2017:1250-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1032248 SUSE Bug 1032248 https://bugzilla.suse.com/854512 SUSE Bug 854512 https://bugzilla.suse.com/932386 SUSE Bug 932386 https://www.suse.com/security/cve/CVE-2017-2669/ SUSE CVE CVE-2017-2669 page SUSE Linux Enterprise Server 12 SP1 SUSE Linux Enterprise Server 12 SP2 SUSE Linux Enterprise Server for Raspberry Pi 12 SP2 SUSE Linux Enterprise Server for SAP Applications 12 SP1 SUSE Linux Enterprise Server for SAP Applications 12 SP2 SUSE Linux Enterprise Software Development Kit 12 SP1 SUSE Linux Enterprise Software Development Kit 12 SP2 dovecot-2.2-3.1 dovecot22-2.2.29.1-11.1 dovecot22-backend-mysql-2.2.29.1-11.1 dovecot22-backend-pgsql-2.2.29.1-11.1 dovecot22-backend-sqlite-2.2.29.1-11.1 dovecot22-devel-2.2.29.1-11.1 dovecot-2.2-3.1 as a component of SUSE Linux Enterprise Server 12 SP1 dovecot22-2.2.29.1-11.1 as a component of SUSE Linux Enterprise Server 12 SP1 dovecot22-backend-mysql-2.2.29.1-11.1 as a component of SUSE Linux Enterprise Server 12 SP1 dovecot22-backend-pgsql-2.2.29.1-11.1 as a component of SUSE Linux Enterprise Server 12 SP1 dovecot22-backend-sqlite-2.2.29.1-11.1 as a component of SUSE Linux Enterprise Server 12 SP1 dovecot-2.2-3.1 as a component of SUSE Linux Enterprise Server 12 SP2 dovecot22-2.2.29.1-11.1 as a component of SUSE Linux Enterprise Server 12 SP2 dovecot22-backend-mysql-2.2.29.1-11.1 as a component of SUSE Linux Enterprise Server 12 SP2 dovecot22-backend-pgsql-2.2.29.1-11.1 as a component of SUSE Linux Enterprise Server 12 SP2 dovecot22-backend-sqlite-2.2.29.1-11.1 as a component of SUSE Linux Enterprise Server 12 SP2 dovecot-2.2-3.1 as a component of SUSE Linux Enterprise Server for Raspberry Pi 12 SP2 dovecot22-2.2.29.1-11.1 as a component of SUSE Linux Enterprise Server for Raspberry Pi 12 SP2 dovecot22-backend-mysql-2.2.29.1-11.1 as a component of SUSE Linux Enterprise Server for Raspberry Pi 12 SP2 dovecot22-backend-pgsql-2.2.29.1-11.1 as a component of SUSE Linux Enterprise Server for Raspberry Pi 12 SP2 dovecot22-backend-sqlite-2.2.29.1-11.1 as a component of SUSE Linux Enterprise Server for Raspberry Pi 12 SP2 dovecot-2.2-3.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP1 dovecot22-2.2.29.1-11.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP1 dovecot22-backend-mysql-2.2.29.1-11.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP1 dovecot22-backend-pgsql-2.2.29.1-11.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP1 dovecot22-backend-sqlite-2.2.29.1-11.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP1 dovecot-2.2-3.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP2 dovecot22-2.2.29.1-11.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP2 dovecot22-backend-mysql-2.2.29.1-11.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP2 dovecot22-backend-pgsql-2.2.29.1-11.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP2 dovecot22-backend-sqlite-2.2.29.1-11.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP2 dovecot22-devel-2.2.29.1-11.1 as a component of SUSE Linux Enterprise Software Development Kit 12 SP1 dovecot22-devel-2.2.29.1-11.1 as a component of SUSE Linux Enterprise Software Development Kit 12 SP2 Dovecot before version 2.2.29 is vulnerable to a denial of service. When 'dict' passdb and userdb were used for user authentication, the username sent by the IMAP/POP3 client was sent through var_expand() to perform %variable expansion. Sending specially crafted %variable fields could result in excessive memory usage causing the process to crash (and restart), or excessive CPU usage causing all authentications to hang. CVE-2017-2669 SUSE Linux Enterprise Server 12 SP1:dovecot-2.2-3.1 SUSE Linux Enterprise Server 12 SP1:dovecot22-2.2.29.1-11.1 SUSE Linux Enterprise Server 12 SP1:dovecot22-backend-mysql-2.2.29.1-11.1 SUSE Linux Enterprise Server 12 SP1:dovecot22-backend-pgsql-2.2.29.1-11.1 SUSE Linux Enterprise Server 12 SP1:dovecot22-backend-sqlite-2.2.29.1-11.1 SUSE Linux Enterprise Server 12 SP2:dovecot-2.2-3.1 SUSE Linux Enterprise Server 12 SP2:dovecot22-2.2.29.1-11.1 SUSE Linux Enterprise Server 12 SP2:dovecot22-backend-mysql-2.2.29.1-11.1 SUSE Linux Enterprise Server 12 SP2:dovecot22-backend-pgsql-2.2.29.1-11.1 SUSE Linux Enterprise Server 12 SP2:dovecot22-backend-sqlite-2.2.29.1-11.1 SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:dovecot-2.2-3.1 SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:dovecot22-2.2.29.1-11.1 SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:dovecot22-backend-mysql-2.2.29.1-11.1 SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:dovecot22-backend-pgsql-2.2.29.1-11.1 SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:dovecot22-backend-sqlite-2.2.29.1-11.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:dovecot-2.2-3.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:dovecot22-2.2.29.1-11.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:dovecot22-backend-mysql-2.2.29.1-11.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:dovecot22-backend-pgsql-2.2.29.1-11.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:dovecot22-backend-sqlite-2.2.29.1-11.1 SUSE Linux Enterprise Server for SAP Applications 12 SP2:dovecot-2.2-3.1 SUSE Linux Enterprise Server for SAP Applications 12 SP2:dovecot22-2.2.29.1-11.1 SUSE Linux Enterprise Server for SAP Applications 12 SP2:dovecot22-backend-mysql-2.2.29.1-11.1 SUSE Linux Enterprise Server for SAP Applications 12 SP2:dovecot22-backend-pgsql-2.2.29.1-11.1 SUSE Linux Enterprise Server for SAP Applications 12 SP2:dovecot22-backend-sqlite-2.2.29.1-11.1 SUSE Linux Enterprise Software Development Kit 12 SP1:dovecot22-devel-2.2.29.1-11.1 SUSE Linux Enterprise Software Development Kit 12 SP2:dovecot22-devel-2.2.29.1-11.1 moderate 5.4 AV:N/AC:H/Au:N/C:N/I:N/A:C 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2017/suse-su-20171250-1/ https://www.suse.com/security/cve/CVE-2017-2669.html CVE-2017-2669 https://bugzilla.suse.com/1032248 SUSE Bug 1032248