convert ssl_protocols strings to min/max values. Patch to neuter the autoconf
check because this code doesn't work correctly (in particular it doesn't
handle strings with !SSLv2) and fallback to the old working code instead.
No reply to https://www.dovecot.org/pipermail/dovecot/2018-March/111260.html
but the code is different in Dovecot master/2.3 (it looks like they did it
this way in 2.2 so they could use the 1.1-api functions without config
changes, but it backfired).
ok Brad
protocol string to avoid using !SSLv2 which is not supported. ok juanfra@ Brad
* CVE-2017-15130: TLS SNI config lookups may lead to excessive memory usage,
causing imap-login/pop3-login VSZ limit to be reached and the process
restarted. This happens only if Dovecot config has local_name { } or local
{ } configuration blocks and attacker uses randomly generated SNI servernames.
* CVE-2017-14461: Parsing invalid email addresses may cause a crash or leak
memory contents to attacker. For example, these memory contents might contain
parts of an email from another user if the same imap process is reused for
multiple users.
* CVE-2017-15132: Aborted SASL authentication leaks memory in login process.
if the root user starts spamd with the --username
flag, the supplemental group list of the spamd worker processes is never
changed. The worker processes execute with root's original supplemental
group list.
Ephemeral RSA was only used with really ancient export ciphersuites, which
LibreSSL has not supported for a very long time - all of the remaining
API are no-ops.
It is actually quite horrific that some software still goes out of its way
to try to enable support for ephemeral RSA...
ok sthen@
Ephemeral RSA was only used with really ancient export ciphersuites, which
LibreSSL has not supported for a very long time - all of the remaining
API are no-ops.
It is actually quite horrific that some software still goes out of its way
to try to enable support for ephemeral RSA...
ok sthen@
"Using a handcrafted message, remote code execution seems to be possible"
thanks to whichever of the distributions that was under embargo and
released early, as this means that the fix was made available sooner
than it would have otherwise been.
(note that this is now dual licensed, you can now choose to use it under
Eclipse Public License 2.0 instead of the existing IBM Public License 1.0
if you prefer).
