[Dovecot] 1.0beta3 released
Timo Sirainen
tss at iki.fi
Fri Feb 17 01:14:51 EET 2006
On 16.2.2006 21:43, "Josh Bressers" <bressers at redhat.com> wrote:
> I'm not on subscribed to the list, so please CC me on any replies.
>
>> - Fixed potential hangs after APPEND command
This isn't security related at all. Guess I should have used different
wording.
>> - Fixed potential crashes in dovecot-auth and imap/pop3-login
>
> These two issue have been assigned the CVE id CVE-2006-0730. I've not
> taken a look through CVS yet, but I was wondering if someone can point me
> at some commits as the various distributions will be interested in
> backporting these fixes to any affected versions of dovecot shipped.
These problems aren't in 0.99.x versions.
Dovecot-auth crash exists in 1.0beta1 and beta2 versions, fixed by commit:
2006-01-28 21:09 Timo Sirainen <tss at iki.fi>
* src/auth/auth-request-handler.c: If authentication client
disconnects while it still has pending requests, don't crash (got
broken in the large pointer-change commit).
Imap/pop3-login crash exists in 1.0test33, 1.0beta2 and everything between
them. Fixed by commit:
2006-01-28 21:47 Timo Sirainen <tss at iki.fi>
* src/: imap-login/client-authenticate.c, imap-login/client.c,
pop3-login/client-authenticate.c, pop3-login/client.c: If client
disconnected while we were trying to send authentication
continuation to it, we crashed.
Patches in:
http://dovecot.org/patches/1.0-auth-crashfix.diff
http://dovecot.org/patches/1.0-login-crashfixes.diff
More information about the dovecot
mailing list